MFA Fatigue Attacks

By Ben Weinberg | April 15, 2025
Security
MFA Fatigue Attacks

The Rise of MFA Fatigue Attacks: 

Multi-Factor Authentication (MFA) has long been hailed as a simple, effective way to add an extra layer of protection against account compromise. But like all good things in cybersecurity, attackers have found a way to exploit it — not through code or clever exploits, but through human behavior.

Enter MFA fatigue attacks.

What Is an MFA Fatigue Attack?

MFA fatigue attacks, also known as push bombing, rely on overwhelming a user with repeated MFA requests until they finally accept one out of annoyance, confusion, or sheer habit. It’s a form of social engineering that preys on users' muscle memory and decision fatigue.

Imagine this:
A user is bombarded with 20 push notifications at 2 AM. They ignore the first few but eventually hit “Approve” just to silence the noise. The attacker is in.

Why It Works

The core weakness here isn't the technology — it's us. Here’s why MFA fatigue attacks are surprisingly effective:

  • Human error: Users often don't question why they're receiving an MFA prompt, especially if they're used to it as part of their daily routine.

  • Alert fatigue: With so many notifications in our digital lives, it's easy to get desensitized.

  • Timing: Attackers often trigger prompts late at night or during off-hours when users are less alert.

Real-World Examples

In 2022, a major ride-sharing company fell victim to an MFA fatigue attack. The attacker, having stolen valid credentials, repeatedly spammed the targeted employee’s phone with authentication requests until they approved one. That single tap led to a major breach.

And they're not alone. This tactic has been seen across healthcare, education, and finance — sectors with valuable data and often under-resourced security training.

What Can You Do About It?

1. Move to Number Matching or FIDO2
Instead of simply approving a prompt, Microsoft and other vendors now support number matching, where the user has to type a code shown on their screen. FIDO2 keys or hardware tokens are even more secure.

2. Train Your Users
This can’t be overstated: Users must understand that unsolicited MFA requests are a red flag. If they weren’t logging in, they should never approve it.

3. Monitor for Repeated MFA Prompts
Most identity providers (like Azure AD or Okta) can alert admins to excessive MFA requests. Treat them like you would failed login attempts.

4. Enable Conditional Access
Only allow logins from trusted IPs or compliant devices. This reduces the chances of attackers even reaching the MFA stage.

5. Limit MFA Prompt Frequency
Reducing how often users are prompted for MFA can reduce the window for fatigue-based abuse while improving the user experience.

The Bottom Line

MFA isn't broken — it's just being misused. Like every layer of security, it only works as well as the humans using it. By updating your MFA policies, leveraging smarter tools, and educating your users, you can turn this rising threat into a non-issue.