The Rise of MFA Fatigue Attacks and How to Defend Against Them
In 2023, the global cost of cybercrime surpassed $8 trillion, with a significant portion driven by identity attacks. One technique surged in popularity among threat actors: MFA fatigue attacks. If the 2022 Uber breach taught us anything, it’s that even organizations with strong authentication controls can fall victim to relentless push-notification abuse.
As multi-factor authentication becomes standard across industries, attackers have shifted strategies—no longer focusing on breaking MFA, but on exhausting the humans behind it. This article breaks down how MFA fatigue works, why it’s so effective, and the practical steps your organization can take to defend against it.
What Is MFA Fatigue?
MFA fatigue attacks—also known as “MFA bombing” or “push harassing”—involve repeatedly sending MFA approval requests to a user’s device until they accept out of annoyance, confusion, or mistake. This form of social engineering exploits human behavior rather than technical vulnerabilities.
Most organizations rely on push-based MFA because it's fast and user-friendly. But this convenience becomes a weakness when attackers flood users with notifications until they approve one.
How MFA Fatigue Attacks Work
1. Credential Theft
Attackers first obtain valid usernames and passwords—usually through phishing, credential-stuffing, or data breaches. Because password reuse remains widespread, stolen credentials often unlock multiple accounts.
2. Continuous MFA Prompt Bombing
Once authenticated, the attacker repeatedly triggers MFA requests. Some push providers allow unlimited requests, making the attack effortless.
3. Social Engineering Pressure
Users may approve a prompt accidentally while unlocking their phone or intentionally to stop the buzzing. Attackers may even contact the victim pretending to be IT support to “legitimize” the request.
4. Account Takeover
When a single request is approved, the attacker gains full access—often leading to system compromise, lateral movement, or data theft.
Real-World Incidents
Uber (2022)
A teenager breached Uber’s internal systems simply by repeatedly sending MFA pushes to an employee. The attacker even sent messages posing as corporate IT, urging approval. The employee eventually accepted, leading to a company-wide compromise.
Cisco (2022)
Attackers used voice phishing combined with MFA fatigue to access Cisco VPN infrastructure. Despite strong controls, persistent push notifications and social engineering allowed unauthorized access.
These attacks highlight a critical truth: MFA is only as strong as the user’s willingness to deny unauthorized requests.
Detecting MFA Fatigue Attacks
Organizations should watch for:
- Repeated MFA requests in short time windows
- Authentication attempts from unusual geolocations
- Unexpected login patterns and session anomalies
- User reports of strange or excessive MFA prompts
Preventing MFA Fatigue
1. Enforce Number Matching MFA
Microsoft and Duo now support number-matching prompts—requiring users to enter a code shown on screen. This eliminates “accidental approval” and stops automated push bombing.
2. Set Rate Limits on Push Requests
MFA portals should restrict the number of push notifications a user can receive per hour. Excessive attempts should lock the account and alert security teams.
3. Use Phishing-resistant MFA
FIDO2 hardware keys, Passkeys, and WebAuthn-based MFA remove push notifications entirely. These methods protect against push fatigue, phishing, and replay attacks.
4. Enhance User Training
Employees must understand that approving an unsolicited MFA request is equivalent to giving away their password. Clear communication and simulated MFA fatigue drills help reinforce this message.
Best Practices Checklist
- Enable number matching for push-based MFA
- Adopt phishing-resistant MFA where possible
- Audit MFA logs for suspicious patterns
- Implement conditional access and geofencing
- Use SIEM alerts to flag repeated MFA requests
- Automate account lockouts after failed attempts
Common Misconceptions
“We use MFA, so we’re safe.”MFA reduces risk—but doesn’t eliminate social engineering. Attackers bypass weak implementations.
“Users will report unusual MFA activity.”Most employees assume notifications are glitches or system tests.
“Push is more secure than SMS.”Push fatigue can be just as dangerous as SIM-jacking if not configured properly.
Tools and Resources
- Microsoft Authenticator Number Matching
- Duo Risk-Based Authentication
- Okta Behavioral Detection
- FIDO2 Keys (YubiKey, Feitian, SoloKey)
Future Trends
MFA fatigue attacks will continue rising as MFA adoption increases. Expect widespread adoption of number matching as a baseline requirement. Additionally, passwordless authentication will accelerate, reducing reliance on push notifications altogether.
Conclusion
MFA fatigue attacks prove that strong security tools can fail when user friction is exploited. By combining technical controls, training, and phishing-resistant MFA, organizations can drastically lower their exposure. Identity attacks will keep evolving—but with layered defenses, your business doesn’t have to become the next headline.
