Use this rule to reduce the likelihood of a user acknowledging a malicious push notification as part of an MFA fatigue attack by limiting the number of push notifications the user can deny or ignore within a 24-hour period.
Specify an action from the list of allowed methods that are available, or choose to deny the user access. Then specify the time period for which the rule actions should be applied.
You can define an array of up to three push notification limits (subrules), and specify up to three actions that are triggered sequentially as the user reaches each limit. A rule defines the number of push notifications (ignored or denied) that must occur consecutively within a 24-hour period in order to trigger the rule action.
Each time the user authenticates successfully, the counter is reset.
For example, when applying the rule for 20 minutes:
- After 5 push notifications, the user must authenticate with a security key for a period of 20 mins.
- After 10 push notifications, the user must authenticate using biometrics, or number matching for a period of 20 mins.
- After 15 push notifications, the user is denied access for a period of 20 mins.
- By default, only one limit is shown, however up to three limits can be defined. If you select Deny for the first or second limit action, no further actions can be specified.
- If you are using PingOne DaVinci to orchestrate your PingID flows, this rule is not evaluated.