Use this rule to reduce the likelihood of a user acknowledging a malicious push notification as part of an MFA fatigue attack by limiting the number of push notifications the user can deny or ignore within a 24-hour period.
Specify an action from the list of allowed methods that are available, or choose to deny the user access. Then specify the time period for which the rule actions should be applied.
You can define an array of up to three push notification limits (subrules), and specify up to three actions that are triggered sequentially as the user reaches each limit. A rule defines the number of push notifications (ignored or denied) that must occur consecutively within a 24-hour period in order to trigger the rule action.
Each time the user authenticates successfully, the counter is reset.
For example, when applying the rule for 20 minutes:
- After 5 push notifications, the user must authenticate with a security key for a period of 20 mins.
- After 10 push notifications, the user must authenticate using biometrics, or number matching for a period of 20 mins.
- After 15 push notifications, the user is denied access for a period of 20 mins.
- By default, only one limit is shown, however up to three limits can be defined. If you select Deny for the first or second limit action, no further actions can be specified.
- If you are using PingOne DaVinci to orchestrate your PingID flows, this rule is not evaluated.
From within the relevant policy, click + Add Rule and from
the list, select Limit push notifications.
The Limit Push Notifications rule wizard open
To define a push notification limit:
In the After Push field, select the number of push
notifications after which the action is triggered, and then in the
Action field, select the action that is triggered
when the limit is reached. Choose from the following actions:
- Deny: Deny access after the number of push notifications is reached.
- Allowed Methods: Click Allowed Methods to reveal a list of authentication methods allowed by this policy, and then select the check box of each authentication method that you want to allow for this rule. See Rule authentication actions for description per authentication type.
- To add another push notification limit, click Add and repeat substep a.
- In the After Push field, select the number of push notifications after which the action is triggered, and then in the Action field, select the action that is triggered when the limit is reached. Choose from the following actions:
- In the Apply Rule Action For field, set a duration for the rule actions to be applied after they're triggered.
- Click Save.
- In the Policy list, click and drag the new policy and place it in the order in which you want it to be considered. Click Save Order.