MFA fatigue attack - prevention & more

MFA Fatigue Attacks: Examples, Prevention, and More

For many years, traditional MFA (multifactor authentication) was effective in preventing account compromise due to stolen passwords.

Unfortunately, that’s no longer the case.

Cybercriminals now use MFA fatigue attacks, also known as prompt bombing or push bombing, to bypass the defenses of a traditional MFA configuration. They do so by overwhelming a user with so many authentication requests, the user eventually taps “accept” out of frustration, habit, or by accident.

Luckily, you can prevent MFA fatigue attacks. Here’s everything you need to know.

Key takeaways:

  • MFA fatigue attacks manipulate human exhaustion to gain access to a system protected by traditional MFA.
  • The Uber breach in 2022 is the most famous example of a successful MFA fatigue attack.
  • MFA fatigue is an effective attack method because it targets human psychology rather than technical flaws in a system.
  • Phishing-resistant MFA and number-matching offer effective prevention of MFA fatigue attacks.

Table of Contents

💡 EXCLUSIVE Resource: 

Phishing-Resistant MFA ROI Calculator

What is MFA fatigue?

MFA fatigue is the mental and emotional exhaustion users experience from receiving frequent multi-factor authentication prompts throughout their day. This constant interruption can lead to frustration, reduced attention, and desensitization. A user experiencing MFA fatigue is more likely to approve requests automatically without careful review. This fatigued state constitutes a security risk even if the user is not under an active attack.

What is an MFA fatigue attack?

What is an MFA fatigue attack?

An MFA fatigue attack is a social engineering tactic that manipulates a user’s notification fatigue to breach their account. A hacker, already equipped with the user’s password, floods the user with repeated multi-factor authentication (MFA) push notifications. The strategy works if the user eventually approves one of the notifications out of annoyance, confusion, or habit. A single accidental tap grants the attacker access to the account, bypassing MFA entirely. This technique is also known as MFA bombing, MFA push spam, or prompt bombing.

What are some examples of MFA fatigue attacks?

Several high-profile MFA fatigue attacks have affected large companies over the last few years. Here are some of the most significant examples.

The Uber 2022 breach

  • What happened: The Lapsus$ hacking group obtained VPN credentials for an Uber contractor.
  • MFA fatigue tactic: The attacker sent 100+ push notifications to the contractor’s phone.
  • Outcome: After repeated prompts and a follow-up WhatsApp message impersonating IT support, the attackers succeeded, as the contractor approved one request. The attackers gained internal access to systems like Slack and Google Workspace.

Learn more here: Uber’s SEC filing about the breach.

The Cisco 2022 breach

  • What happened: Cisco was breached after attackers compromised employee credentials.
  • MFA fatigue tactic: Attackers used push notification spamming to pressure the user into approving access.
  • Outcome: The attacker successfully authenticated and gained a foothold inside Cisco’s network.

Learn more here: BleepingComputer reports on Cisco’s 2022 breach.

0ktapus campaign (2022)

  • What happened: Hackers targeted Twilio, Cloudflare, and other companies.
  • MFA fatigue tactic: While primarily a phishing campaign, 0ktapus often combined credential theft with repeated MFA prompts to push users to approve requests.
  • Outcome: Hackers gained access to internal tools, customer data, and communications systems in some cases.

Learn more here: Security expert Brian Krebs reports on the 0ktapus campaign.

Is MFA prompt bombing or push bombing the same as an MFA fatigue attack?

Yes, MFA prompt bombing and push bombing both refer to an MFA fatigue attack. Of course, different terminology may highlight different aspects of the attack. “Fatigue” emphasizes the psychological wear-down on the user, while “bombing” emphasizes the flood of prompts. Regardless of the wording, all three phrases describe the same technique and are used interchangeably across vendor and government guidance.

Why is MFA fatigue an effective attack method?

MFA fatigue attacks are effective because they target human psychology rather than technical flaws in the MFA system itself. Once an attacker has a valid password, the only barrier left is a single approval tap. The relentless stream of push notifications is designed to wear the user down until they approve one authentication request out of annoyance, confusion, or reflex, especially when prompts arrive late at night or during a busy workday.

Four specific factors make this attack strategy reliable:

  1. Stolen passwords are cheap and abundant on the dark web.
  2. Simple “approve/deny” push notifications require no real verification of who is logging in.
  3. Workplace processes have taught users to tap “approve” dozens of times a week, so one more prompt rarely raises suspicion.
  4. Attackers often add a layer of social engineering, posing as IT support to convince the victim that approving will make the notifications stop.

This attack method is also low-cost and low-skill. It doesn’t require malware or a sophisticated exploit, just persistence and patience. This is why it has succeeded against large, well-resourced organizations and remains a favorite tactic of groups like Scattered Spider and Lapsus$.

Can I just add more prompts to prevent MFA fatigue attacks?

Generally, no. Adding additional prompts looks more secure in theory, but it actually makes life harder for users without significantly improving security.

In fact, this pileup of prompts is almost a type of “security theater.” It can become a performative act for cyber professionals to implement these controls. Fundamentally, however, if your MFA configuration still depends on a single tap for approval, more prompts isn’t going to fix that problem.

Does number-matching protect users from MFA fatigue attacks?

Number matching helps. In this workflow, the user types a code shown on the login screen into their authenticator app. If they type in the code without mistakes, they authenticate successfully. Number matching breaks the blind, reflexive “approve” tap because the user has to do something deliberate.

If you have nothing else in place, turn on number-matching today. 

But number matching is a speed bump, not a wall. It still depends on the user making the right call, and it does nothing against the more advanced attack we’re seeing now: real-time adversary-in-the-middle phishing, where the attacker proxies the entire login—password, code, and all—and steals the session token after authentication succeeds. (We break that one down in our guide to phishing-resistant MFA.) 

In short, number matching reduces the odds. It doesn’t remove the target. 

How can I prevent MFA fatigue attacks?

How can I prevent MFA fatigue attacks?

To prevent MFA fatigue attacks, organizations must close the gap left open by simple push-approval MFA. The most effective defense is moving to phishing-resistant MFA using FIDO2 security keys or passkeys. This type of MFA can’t be defeated by a flood of prompts because there’s no “approve” button to tap.

Where push-based MFA remains in use, enabling number matching can stop blind approvals, as it forces the user to type a code shown on the legitimate login screen into their authenticator app. CISA recommends number-matching as a frontline control, as does Microsoft.

Organizations should also implement the following controls:

  • Limit the number of authentication requests that an account can trigger.
  • Set up alerts or auto-lock accounts after repeatedly denied prompts.
  • Deploy risk-based or conditional access policies that factor in device, location, and behavior before granting entry.

Stolen passwords are the starting point for every prompt bombing attack. Therefore, strong password hygiene and dark-web credential monitoring reduce exposure upstream, while user training closes the human gap on which the attack depends.

For many mid-market organizations, partnering with a cybersecurity provider for SOC as a service or managed XDR adds 24/7 monitoring that can spot and shut down a prompt-bombing campaign in real time. This stops the attack before a single accidental tap can even occur.

Can a SOC detect and shut down an MFA fatigue attack in progress?

Yes, a security operations center (SOC) can detect and stop an MFA fatigue attack while it’s happening. This is because the attack produces a distinctive signal: a rapid burst of repeated MFA push requests, often paired with failed logins, impossible travel or unfamiliar location sign-ins, and a spike in denied prompts.

A SOC team that monitors identity logs from systems like Microsoft Entra ID or Okta can flag this pattern in real time and respond before the user caves. The SOC team has several methods at their disposal:

  • Locking or suspending the targeted account
  • Forcing a password reset
  • Revoking active sessions
  • Blocking the source IP

Modern SOCs increasingly automate this response through conditional access policies and playbooks that auto-contain an account after a threshold of denied or repeated prompts. This approach reduces the window between detection and containment from hours to minutes.

Prompt bombing is often timed for nights and weekends, which means that monitoring during business hours isn’t enough. For mid-market organizations that can’t staff round-the-clock monitoring in-house, a cybersecurity partner running SOC as a service or managed XDR can provide the continuous coverage that’s required to stop these attacks.

What can I do this week to start defending against MFA fatigue attacks?

There are several low-effort steps you can take this week, or even today, to protect your organization from MFA fatigue attacks. At Corsica Technologies, here’s where we start with our clients.

  • Audit your prompts. Find the MFA challenges that have outlived their purpose and cut the “security theater.” Fewer, smarter prompts are better than more prompts. 
  • Turn on number matching now as a stopgap if you haven’t already. 
  • Plan your move to phishing-resistant MFA. Most organizations already own the licensing, as Microsoft Entra ID P1 is included with Microsoft 365 Business Premium and E3. In this scenario, the cost is mostly planning and rollout, not new spend. 

MFA fatigue works because it targets the weakest part of traditional MFA: the human being asked to approve. Take that decision off their plate, and the attack has nothing left to exploit. 

The takeaway: Don’t fall prey to MFA fatigue attacks

The risk of MFA fatigue attacks is real, but you can protect your organization with the right cybersecurity controls. Phishing-resistant MFA and number-matching offer stronger protection than traditional MFA. If you need help implementing or managing these controls, get in touch with us. We’ve helped 1,000+ companies solve their toughest challenges with technology. Contact us today, and let’s take the next step on your journey.

Related posts

As Vice President of Security Operations, Clayton Mach brings 15+ years of experience, a strong leadership perspective, and deep technical expertise to the everyday security operations of Corsica’s clients. His wide range of expertise—from ERP systems to network support, infrastructure deployment, and process auditing—equips him to apply a practical perspective to rapidly evolving threat landscape faced by Corsica clients. He holds the professional development and success of his team members as his most satisfying accomplishments.

Ready to take your next step?

Contact us today to get the outside perspective you need for the next step on your journey.

Contact Us Now →

Moving forward with AI- Corsica Technologies

Table of Contents

💡 EXCLUSIVE Resource: 

Phishing-Resistant MFA ROI Calculator

Ready to talk to an expert?

We’ll respond within 1 business day, or you can grab time on our calendar.