I would expect that an engineer would recognize that (1) a massive volume of MFA notifications is extremely suspicious and should be reported immediately to security and (2) if they are trying to sleep they can just mute or turn off the phone. This was a major failure of training.
For a nontechnical employee I could get how they could not recognize this as an attack. But if you are getting annoying calls and don't know why, why not just unplug/turn off the phone?
On the other hand, slipping a single MFA notification in during the normal workday seems like a much better approach. Even if the employee doesn't accept the notification, they'd likely assume that it was a tab they opened earlier and closed before finishing the login, not something to report.
Personal responsibility is the weakest form of system improvement because it's guaranteed to vary between people. Expecting people to always behave perfectly within your scope is a recipe for disappointment!
The article already mentions the alternative of slipping in a low volume of MFA notifications instead as an alternative that is less suspicious. You only need one person to accept. And I think you overestimate how much attention engineers pay to any security or compliance type of training.
Worse, I assumed every 2FA provider did something to mitigate request spamming as soon as someone realised you could use a premium rate number back when SMS messages were commonly used instead of apps for 2FA.
Congratulations if you have security that would recognize the issue and be able to do something about it other than just blame Duo somehow! In my experience most technical people don't actually recognize the problem, like many other real security issues, and are more like security theatre-goers.
> On the other hand, slipping a single MFA notification in during the normal workday seems like a much better approach. Even if the employee doesn't accept the notification, they'd likely assume that it was a tab they opened earlier and closed before finishing the login, not something to report.
For a nontechnical employee I could get how they could not recognize this as an attack. But if you are getting annoying calls and don't know why, why not just unplug/turn off the phone?
On the other hand, slipping a single MFA notification in during the normal workday seems like a much better approach. Even if the employee doesn't accept the notification, they'd likely assume that it was a tab they opened earlier and closed before finishing the login, not something to report.