Approximately 61% of cyber attacks involve adversaries in possession of valid credentials. Attackers acquire credentials through various means, including phishing, dark web data drops, password reuse, etc. Multi-factor authentication (MFA) helps to thwart attacks that use valid credentials, but attackers still commonly breach systems by tricking users into accepting MFA step up requests through techniques, such as ``MFA Bombing'', where multiple requests are sent to a user until they accept one. Currently, there are several solutions to this problem, each with varying levels of security and increasing invasiveness on user devices. This paper proposes a token-based enrollment architecture that is less invasive to user devices than mobile device management, but still offers strong protection against use of stolen credentials and MFA attacks.

翻译：约61%的网络攻击涉及攻击者持有有效凭证的情况。攻击者通过多种方式获取凭证，包括钓鱼攻击、暗网数据泄露、密码重用等。多因子认证（MFA）有助于阻止使用有效凭证的攻击，但攻击者仍可通过“MFA轰炸”等技术手段欺骗用户接受MFA升级请求来入侵系统——这种技术通过向用户反复发送认证请求，直至用户接受其中一项。目前针对该问题已有多种解决方案，它们在安全等级和对用户设备的侵入性方面各有差异。本文提出一种基于令牌的注册架构，该架构对用户设备的侵入性低于移动设备管理方案，但能有效防范凭证泄露和MFA攻击。