A Multi-Factor Authentication (MFA) fatigue attack — also known as push bombing or MFA prompt spamming — is a social engineering tactic where attackers overwhelm a target with repeated authentication requests until the victim eventually approves one.
Instead of breaking encryption or guessing passwords, the attacker exploits human behavior.
How MFA Normally Works
Multi-Factor Authentication (MFA) requires users to verify their identity using at least two factors:
a.) Something you know – Password or PIN
b.) Something you have – Phone, security token, or app
c.) Something you are – Biometrics like fingerprint or face recognition
Popular authentication apps like Microsoft Authenticator, Google Authenticator, and Duo Mobile send push notifications asking users to approve login attempts.
Normally, this significantly strengthens account security.
How an MFA Fatigue Attack Works
Here’s how attackers exploit the system:
1. Password Compromise
The attacker first obtains the victim’s password — often via phishing, data breaches, or credential stuffing.
2. Repeated Login Attempts
They attempt to log in repeatedly, triggering dozens of MFA push notifications to the victim’s phone.
3. Psychological Pressure
The victim begins receiving constant approval prompts:
i) Late at night
ii) During work hours
iii) Repeatedly every few minutes
The goal is to:
a.) Annoy the victim
b.) Create confusion
c.) Make them think it’s a system glitch
d.) Catch them off guard
4. Accidental or Frustrated Approval
Eventually, the user clicks “Approve” just to stop the notifications — granting the attacker access.
Why MFA Fatigue Attacks Are Effective
These attacks succeed because they exploit:
1.) Human fatigue
2.) Trust in familiar notifications
3.) Poor user awareness
4.) Lack of number-matching verification
5.) Delayed security response
6.) Even strong technical defenses can fail if a user unknowingly approves access.
Real-World Example
In 2022, attackers used MFA fatigue tactics to breach systems at Uber. The attacker reportedly spammed an employee with login requests and eventually convinced them to approve access, leading to internal system compromise.
This incident highlighted how MFA, while powerful, is not foolproof.
Signs of an MFA Fatigue Attack
You might be under attack if:
A) You receive multiple unexpected MFA push notifications.
B) Login requests occur when you’re not trying to sign in.
C) Notifications keep appearing back-to-back.
D) Someone contacts you claiming to be IT and asks you to approve a login.
How to Protect Against MFA Fatigue Attacks
For Individuals:
1>) Never approve an MFA request you didn’t initiate.
2>) Report repeated prompts immediately to IT/security.
3>) Enable number matching (if available).
4>) Use phishing-resistant MFA like hardware keys.
For Organizations:
A) Implement number-matching MFA.
B) Use rate-limiting on authentication attempts.
C) Deploy behavioral anomaly detection.
D) Educate employees on push bombing attacks.
E) Consider phishing-resistant authentication such as FIDO2 security keys.
The Bigger Security Lesson
MFA fatigue attacks demonstrate that cybersecurity is not just a technology issue — it’s a human issue.
Even the strongest systems can be bypassed if attackers manipulate people effectively. Modern security strategies now emphasize:
A) On User awareness training
B) Zero-trust architecture
C) Phishing-resistant authentication methods
Final Thoughts
Multi-Factor Authentication remains one of the most effective security controls available today. However, MFA fatigue attacks show that attackers adapt quickly — shifting from technical exploitation to psychological manipulation—–Simple, if you didn’t request it — don’t approve it.
Join our LinkedIn group Information Security Community!
