You get a single team handling cybersecurity, IT, AI consulting, and data integration services like EDI, filling the gaps in your team.
“Corsica is a one-stop shop for us. If I have a problem, I can go to my vCIO or a number of people, and you take care of it. That’s an investment in mutual success.”
– Greg Sopcak | Southern Michigan Bank & Trust
From 24/7 SOC services to MDR/SIEM, penetration testing and training, we’ve got you covered.
Get the expert support you need for your network, on-premises devices, VoiP, M365, Google Workplace, and everything in between.
Full support of compliance frameworks, including CJIS, HIPAA, CMMC, NIST, SOC 2, and more
Cut through the hype with smart strategies and right-fit AI solutions for your organization.
Take strategic steps with confidence as you collaborate with our expert business and vCIO consultants.
Get cloud security, integration, server virtualization, and optimization strategies to reduce your cloud costs.
Connect any data source to any other with robust solutions and managed services.
Stay ahead of the curve, eliminate waste, and grow revenue with next-generation technologies.
Expert consulting, implementation, integration, managed services, and cybersecurity for Microsoft products.
One program. One partner. Complete AI transformation.
It takes dedicated experience to use technology strategically in your industry. That’s why we specialize in certain verticals while offering comprehensive technology services.
From webinars and video tutorials to guides and blogs, we’ve got resources to help you and your team address any technology challenge.
For many years, traditional MFA (multifactor authentication) was effective in preventing account compromise due to stolen passwords.
Unfortunately, that’s no longer the case.
Cybercriminals now use MFA fatigue attacks, also known as prompt bombing or push bombing, to bypass the defenses of a traditional MFA configuration. They do so by overwhelming a user with so many authentication requests, the user eventually taps “accept” out of frustration, habit, or by accident.
Luckily, you can prevent MFA fatigue attacks. Here’s everything you need to know.
Key takeaways:
MFA fatigue is the mental and emotional exhaustion users experience from receiving frequent multi-factor authentication prompts throughout their day. This constant interruption can lead to frustration, reduced attention, and desensitization. A user experiencing MFA fatigue is more likely to approve requests automatically without careful review. This fatigued state constitutes a security risk even if the user is not under an active attack.
An MFA fatigue attack is a social engineering tactic that manipulates a user’s notification fatigue to breach their account. A hacker, already equipped with the user’s password, floods the user with repeated multi-factor authentication (MFA) push notifications. The strategy works if the user eventually approves one of the notifications out of annoyance, confusion, or habit. A single accidental tap grants the attacker access to the account, bypassing MFA entirely. This technique is also known as MFA bombing, MFA push spam, or prompt bombing.
Several high-profile MFA fatigue attacks have affected large companies over the last few years. Here are some of the most significant examples.
Learn more here: Uber’s SEC filing about the breach.
Learn more here: BleepingComputer reports on Cisco’s 2022 breach.
Learn more here: Security expert Brian Krebs reports on the 0ktapus campaign.
Yes, MFA prompt bombing and push bombing both refer to an MFA fatigue attack. Of course, different terminology may highlight different aspects of the attack. “Fatigue” emphasizes the psychological wear-down on the user, while “bombing” emphasizes the flood of prompts. Regardless of the wording, all three phrases describe the same technique and are used interchangeably across vendor and government guidance.
MFA fatigue attacks are effective because they target human psychology rather than technical flaws in the MFA system itself. Once an attacker has a valid password, the only barrier left is a single approval tap. The relentless stream of push notifications is designed to wear the user down until they approve one authentication request out of annoyance, confusion, or reflex, especially when prompts arrive late at night or during a busy workday.
Four specific factors make this attack strategy reliable:
This attack method is also low-cost and low-skill. It doesn’t require malware or a sophisticated exploit, just persistence and patience. This is why it has succeeded against large, well-resourced organizations and remains a favorite tactic of groups like Scattered Spider and Lapsus$.
Generally, no. Adding additional prompts looks more secure in theory, but it actually makes life harder for users without significantly improving security.
In fact, this pileup of prompts is almost a type of “security theater.” It can become a performative act for cyber professionals to implement these controls. Fundamentally, however, if your MFA configuration still depends on a single tap for approval, more prompts isn’t going to fix that problem.
Number matching helps. In this workflow, the user types a code shown on the login screen into their authenticator app. If they type in the code without mistakes, they authenticate successfully. Number matching breaks the blind, reflexive “approve” tap because the user has to do something deliberate.
If you have nothing else in place, turn on number-matching today.
But number matching is a speed bump, not a wall. It still depends on the user making the right call, and it does nothing against the more advanced attack we’re seeing now: real-time adversary-in-the-middle phishing, where the attacker proxies the entire login—password, code, and all—and steals the session token after authentication succeeds. (We break that one down in our guide to phishing-resistant MFA.)
In short, number matching reduces the odds. It doesn’t remove the target.
To prevent MFA fatigue attacks, organizations must close the gap left open by simple push-approval MFA. The most effective defense is moving to phishing-resistant MFA using FIDO2 security keys or passkeys. This type of MFA can’t be defeated by a flood of prompts because there’s no “approve” button to tap.
Where push-based MFA remains in use, enabling number matching can stop blind approvals, as it forces the user to type a code shown on the legitimate login screen into their authenticator app. CISA recommends number-matching as a frontline control, as does Microsoft.
Organizations should also implement the following controls:
Stolen passwords are the starting point for every prompt bombing attack. Therefore, strong password hygiene and dark-web credential monitoring reduce exposure upstream, while user training closes the human gap on which the attack depends.
For many mid-market organizations, partnering with a cybersecurity provider for SOC as a service or managed XDR adds 24/7 monitoring that can spot and shut down a prompt-bombing campaign in real time. This stops the attack before a single accidental tap can even occur.
Yes, a security operations center (SOC) can detect and stop an MFA fatigue attack while it’s happening. This is because the attack produces a distinctive signal: a rapid burst of repeated MFA push requests, often paired with failed logins, impossible travel or unfamiliar location sign-ins, and a spike in denied prompts.
A SOC team that monitors identity logs from systems like Microsoft Entra ID or Okta can flag this pattern in real time and respond before the user caves. The SOC team has several methods at their disposal:
Modern SOCs increasingly automate this response through conditional access policies and playbooks that auto-contain an account after a threshold of denied or repeated prompts. This approach reduces the window between detection and containment from hours to minutes.
Prompt bombing is often timed for nights and weekends, which means that monitoring during business hours isn’t enough. For mid-market organizations that can’t staff round-the-clock monitoring in-house, a cybersecurity partner running SOC as a service or managed XDR can provide the continuous coverage that’s required to stop these attacks.
There are several low-effort steps you can take this week, or even today, to protect your organization from MFA fatigue attacks. At Corsica Technologies, here’s where we start with our clients.
MFA fatigue works because it targets the weakest part of traditional MFA: the human being asked to approve. Take that decision off their plate, and the attack has nothing left to exploit.
The risk of MFA fatigue attacks is real, but you can protect your organization with the right cybersecurity controls. Phishing-resistant MFA and number-matching offer stronger protection than traditional MFA. If you need help implementing or managing these controls, get in touch with us. We’ve helped 1,000+ companies solve their toughest challenges with technology. Contact us today, and let’s take the next step on your journey.
Contact us today to get the outside perspective you need for the next step on your journey.
We’ll respond within 1 business day, or you can grab time on our calendar.