Idea ID: 2875549

implement rate-limiting on the push notification to overcome the attack of overwhelming push notifications with Smartphone method

Status: New Idea

With a compromised user account (password) it would be possible to start a push notification bombing attack with the goal that the user will finally run an "Accept" within the smartphone app giving full access to the user account.

Mitigating this kind of attack might be technical not easy but there are a few options

- rate-limiting on the push notifications (like it exists already on the OTP authenticator)

- machine learning and anomaly detection to identify unusual patterns of push notification requests (not easy to implement)

- of course:  awareness training

- 2FA to add another layer (as an options) like SMS