About the Author
This article is written by Ahmar Imam with over a decade of combined experience in threat intelligence, identity protection, and incident response. Ahmar is a founder of D3C Consulting, where his team monitors emerging attack campaigns daily and works directly with enterprise security teams and individual consumers to mitigate data breach risks.
Reviewed by: Senior Threat Intelligence Analyst | Certified Information Security Professional (CISSP) | Identity Management expert
Imagine this: It’s 2 AM. Your phone buzzes. An MFA push notification appears, “Did you just try to log in?” You’re half asleep. You tap Approve just to make it stop.
That one tap just opened your company’s network to an attacker.
This is an MFA fatigue attack. And it’s one of the most effective, and fastest-growing, cyberattack methods targeting North American businesses right now.
Multi-factor authentication (MFA) was supposed to be the safety net. But attackers have learned that the weakest link isn’t your technology, it’s human patience. By flooding users with endless push notifications, attackers exploit frustration, fatigue, and a moment of inattention. The result? Full account access, often with no malware required.
In this guide, you’ll learn exactly what MFA fatigue attacks are, why they work so well, how real-world breaches happened, and, most importantly, how to stop them with the right MFA implementation and cybersecurity strategy.
What are the risks of multi-factor authentication?
While MFA dramatically improves security, multi-factor authentication risks include: push notification fatigue attacks, SIM swapping (targeting SMS-based MFA), real-time phishing proxy attacks (tools like Evilginx2), session token theft via malware, social engineering attacks on help desks, and improper configuration leaving MFA policies incomplete or inconsistently enforced. These risks are best managed through professional MFA implementation and regular security reviews.
⚠️ CRITICAL STAT:
In 2022, Uber suffered a major breach after an attacker used an MFA fatigue attack. The hacker messaged the target employee directly on WhatsApp, claimed to be IT support, and kept pushing until the employee approved the login. No zero-day exploit. No malware. Just persistence, and a tired employee.
What Is MFA Fatigue? (And What Else Is It Called?)
MFA fatigue, also called push bombing or MFA prompt bombing, is a type of cyberattack where a hacker repeatedly sends multi-factor authentication push requests to a victim’s phone or device.
The attacker already has the victim’s username and password (often obtained through phishing or a data breach). The only thing standing between them and full access is the MFA approval. So they simply send that approval request over and over again.
MFA fatigue attacks are also known as:
- Push bombing attacks
- MFA push attacks
- MFA bombing
- Prompt bombing
- Authentication fatigue attacks
- Push notification attacks
The goal is simple: wear the user down. Bombard them with so many approval requests that they either:
- Accidentally approve the login while trying to deny or dismiss the notification
- Approve it out of sheer frustration to make the notifications stop
- Approve it because an attacker simultaneously calls them, pretending to be IT support, and asks them to “confirm” the login
What are MFA fatigue attacks also known as?
MFA fatigue attacks are also known as push bombing attacks, MFA bombing, MFA prompt bombing, push MFA attacks, authentication fatigue attacks, and push notification attacks. All of these terms describe the same core tactic: overwhelming a target with repeated MFA approval requests until they comply.
Why Is MFA Fatigue an Effective Attack Method?
This is the question security teams need to sit with: Why does a strategy this simple keep working against organizations with security budgets in the millions?
The answer lies in human psychology, and in how most MFA systems are designed.
1. It Exploits Human Psychology
People are busy. They receive dozens of notifications per day. When an MFA request appears, even a suspicious one, the instinct is often to make it go away as quickly as possible. Attackers know this. They time their push bombs for late at night, early morning, or during peak work hours when employees are distracted.
2. Most MFA Systems Don’t Block Repeated Requests
Standard push-based MFA systems have no rate limiting. There’s nothing stopping an attacker from sending 50 approval requests in 10 minutes. The system just keeps asking. Every single time.
3. Stolen Credentials Are Everywhere
Billions of usernames and passwords are available on dark web marketplaces right now. Once an attacker has credentials, from a data breach, phishing campaign, or credential stuffing, MFA is the only barrier left. Push bombing removes that barrier through human error rather than technical exploitation.
4. Social Engineering Amplifies the Attack
MFA fatigue is often combined with voice phishing (vishing). The attacker calls the target, pretends to be from IT support, and says something like: “We’re running a system update and need you to approve the MFA request you’re receiving.” The victim complies.
What type of social engineering attack attempts to exploit biometrics and MFA simultaneously? These hybrid attacks, combining push bombing with impersonation and vishing, represent the most dangerous evolution of MFA fatigue. They are increasingly used to defeat even biometric authentication layers.
Why MFA Fatigue Works | Why Traditional MFA Fails Against It |
Human psychology: fatigue & frustration | No rate limiting on push requests |
Stolen credentials are widely available | Users not trained to recognize the attack |
No malware or technical exploit needed | Simple approve/deny UI is too easy to misclick |
Combined with social engineering (vishing) | IT teams rarely monitor push anomalies in real-time |
Low cost, high success rate for attackers | MFA approval context is minimal or absent |
MFA Attacks: Push Bombing vs. Prompt Bombing vs. MFA Bombing
These terms are often used interchangeably, but there are subtle differences worth knowing:
Attack Type | Method | Primary Target |
Push Bombing / Push MFA Attack | Floods push notification apps (Duo, Microsoft Authenticator) | Enterprise employees |
MFA Prompt Bombing | Sends repeated authentication prompts via SMS, email, or app | Consumer & enterprise accounts |
MFA Bombing | Umbrella term: any high-volume MFA request flood | Any MFA-protected system |
MFA Fatigue Attack | Full strategy including social engineering layer | High-value enterprise targets |
Vishing + Push Attack | Phone call impersonation + simultaneous push flood | C-Suite, IT admins, finance teams |
MFA Security News: Real-World MFA Fatigue Attack Breaches
MFA fatigue attacks are not theoretical. They have taken down some of the most well-known organizations in the world.
Uber (2022)
A hacker used MFA bombing against an Uber contractor. After bombarding the employee with push requests, the attacker contacted them directly on WhatsApp, claimed to be Uber IT, and instructed them to approve the request. The contractor complied. The attacker accessed Uber’s internal systems, cloud services, and source code repositories.
Cisco (2022)
Cisco disclosed that attackers compromised an employee’s VPN account using a combination of phishing, vishing, and MFA fatigue tactics. After gaining credentials, they launched a push bombing campaign until the employee eventually approved a request. Cisco Talos published a detailed report of the incident as a warning to the industry.
Microsoft (2022)
The LAPSUS$ hacking group, responsible for multiple high-profile breaches, publicly described their use of MFA bombing as a core attack technique. They explicitly stated they would call targets pretending to be tech support and ask them to approve MFA requests. Microsoft confirmed the method was used in attacks against its systems.
Twilio, Cloudflare, and the “0ktapus” Campaign
In a coordinated campaign dubbed 0ktapus, attackers used phishing and MFA fatigue to compromise over 130 organizations. The campaign specifically targeted Okta login credentials and push-based MFA. Cloudflare avoided a breach only because it had implemented phishing-resistant MFA (FIDO2/WebAuthn), a critical differentiator we’ll explore in the prevention section.
KEY TAKEAWAY:
Every major MFA fatigue breach in recent history has one thing in common: the organization was using standard push-based MFA without number matching, context-awareness, or phishing-resistant alternatives.
The right MFA implementation strategy is the difference between a headline and a footnote.
Multi-Factor Authentication Risks You Need to Understand
MFA is still far better than a password alone. But it’s not a silver bullet. Here are the key multi-factor authentication risks that security teams must account for:
- Push notification fatigue (as described above)
- SIM swapping: Attackers port your phone number to a new SIM, intercepting SMS-based MFA codes
- Real-time phishing proxies: Tools like Evilginx2 sit between the user and the login page, capturing MFA tokens in real time
- Malware-based token theft: Infostealers can extract session tokens and MFA codes from infected devices
- Social engineering: Biometric MFA and standard push MFA alike can be defeated through impersonation and manipulation
- Account recovery bypass: Attackers use support desks to bypass MFA by requesting account recovery with fake credentials
EXPERT NOTE:
Many organizations implement MFA and then consider the problem solved. This is dangerous. MFA must be paired with employee training, anomaly detection, phishing-resistant authentication methods, and Zero Trust architecture to be truly effective.
If your MFA implementation hasn’t been reviewed by a cybersecurity professional in the last 12 months, your business is likely exposed.
MFA Fatigue Attack Prevention: 8 Strategies That Actually Work
Preventing MFA fatigue attacks requires a layered approach. Here’s what security experts, and the organizations that successfully defeated these attacks, recommend:
1. Enable Number Matching on MFA Push Notifications
Number matching requires the user to enter a number shown on the login screen into the MFA app before approving. This simple change defeats push bombing because the attacker cannot provide the correct number, they’re not at the login screen.
Microsoft, Duo, and Okta all support number matching. If you’re not using it, turn it on today.
2. Add Geographic and IP Context to Push Requests
Configure your MFA system to display the location and IP address of the login attempt in the push notification. If an employee in Chicago sees “Login attempt from Moscow,” they’ll know to deny, and alert IT immediately.
3. Implement Phishing-Resistant MFA (FIDO2 / WebAuthn / Passkeys)
FIDO2 and WebAuthn-based authentication (hardware security keys like YubiKey, or passkeys) are cryptographically bound to the specific website. They cannot be phished, proxied, or pushed remotely. Cloudflare stopped the 0ktapus attack because it had deployed hardware security keys for all employees.
For organizations handling sensitive data or operating in regulated industries, phishing-resistant MFA is no longer optional, it’s a best practice.
4. Rate Limit and Block Repeated MFA Push Requests
Configure your identity provider (Microsoft Entra ID, Okta, Duo) to limit the number of push attempts per login event. After 3–5 failed or unanswered requests, the account should be temporarily locked and the security team alerted.
5. Train Employees to Recognize MFA Fatigue Attacks
Security awareness training should explicitly cover MFA fatigue. Employees should know: If you receive push notifications you didn’t initiate, DENY them all and call IT immediately. Never approve an MFA request you didn’t trigger. No IT team will ever ask you to approve an MFA request over the phone.
6. Deploy a Zero Trust Architecture
Zero Trust means no user, device, or session is trusted by default, even after MFA approval. Continuous verification, device health checks, and micro-segmentation mean that even if an attacker gets past MFA, they face multiple additional checkpoints.
7. Monitor for Anomalous MFA Activity in Real Time
Use your SIEM or identity threat detection platform to alert security teams when a user receives more than 3–5 MFA push requests in a short window. This is a near-certain indicator of an ongoing MFA fatigue attack. Fast detection = fast response = stopped breach.
8. Require Verified Push (App-Based Number Match + Biometric Unlock)
The most secure push-based configuration requires the user to:
- view the number on the login screen,
- open the authenticator app, which unlocks with a biometric like Face ID, and
- type the matching number.
This three-step friction removes the “accidental tap” vulnerability entirely.
How do I prevent MFA fatigue attacks in my organization?
Preventing MFA fatigue attacks requires several layered controls:
- Enable number matching on push MFA, users must enter a code shown on the login screen before approving.
- Deploy phishing-resistant MFA like FIDO2 hardware keys for privileged accounts.
- Configure rate limiting so repeated push requests lock the account and alert your security team.
- Train employees to deny unexpected MFA requests and report them immediately.
- Implement Zero Trust architecture so that even a compromised approval doesn't give attackers unlimited access.
- Monitor for anomalous push activity in real time using your SIEM.
What Type of Social Engineering Attack Targets Biometrics and MFA?
A question that comes up frequently in security training is: what type of social engineering attack attempts to exploit biometrics? The answer is a hybrid attack that combines vishing (voice phishing), impersonation, and MFA fatigue.
Here’s how it works:
- The attacker researches the target employee (LinkedIn, company website, data breaches)
- They call the employee, impersonating IT support or a vendor
- They claim there’s an “urgent security issue” requiring verification
- They ask the employee to approve the MFA push “as part of verification”
- If biometric MFA is in use, they may attempt to trick the user into re-enrolling a biometric or approving a session on a fake device
Biometric MFA is not immune. The device holding the biometric, a phone or laptop, can be compromised, or the user can be socially engineered into approving access from a device the attacker controls. This underscores why phishing-resistant MFA paired with Zero Trust is the gold standard, not biometrics alone.
Okta and MFA Fatigue: What Organizations Need to Know
Okta is one of the most widely deployed identity platforms in North America. It’s powerful, scalable, and widely trusted. But its push-based MFA, used without the right configuration, has been a target in multiple high-profile attacks, including the 0ktapus campaign.
If your organization uses Okta, ensure the following configurations are in place:
- Enable Okta FastPass with number matching
- Activate phishing resistance settings for high-privilege accounts
- Configure Okta ThreatInsight to block suspicious login sources
- Set up Okta Workflows to automatically alert on repeated push denials
- Restrict Okta admin console access to hardware-key-authenticated sessions only
Proper Okta configuration is not a one-time event. As threats evolve, your MFA policies must evolve with them. Periodic reviews by certified Okta professionals are strongly recommended.
Is Your MFA Strategy Protecting You, or Creating a False Sense of Security?
Most organizations implement MFA and never look back. Attackers are counting on this. Our cybersecurity experts conduct full MFA implementation reviews, identify your push bombing exposure, and build a phishing-resistant authentication strategy tailored to your business. Don’t wait for a breach to find out your MFA wasn’t configured correctly.
Schedule Your Free MFA Security Assessment Today
MFA Fatigue Attack Prevention Checklist for IT Teams
Use this checklist to assess your organization’s current MFA posture:
Security Control | Status (Check if Implemented) |
Number matching enabled on all push MFA | ☐ Done ☐ In Progress ☐ Not Started |
Geographic/IP context shown in push notifications | ☐ Done ☐ In Progress ☐ Not Started |
FIDO2/WebAuthn keys deployed for privileged accounts | ☐ Done ☐ In Progress ☐ Not Started |
MFA push rate limiting configured (3–5 max attempts) | ☐ Done ☐ In Progress ☐ Not Started |
Real-time SIEM alerts for push anomalies | ☐ Done ☐ In Progress ☐ Not Started |
Employee MFA fatigue training completed | ☐ Done ☐ In Progress ☐ Not Started |
Zero Trust architecture in place or in progress | ☐ Done ☐ In Progress ☐ Not Started |
MFA policy reviewed in last 12 months | ☐ Done ☐ In Progress ☐ Not Started |
Industry Benchmark
According to CISA and the NSA’s joint guidance on phishing-resistant MFA (published 2023), organizations that implement phishing-resistant MFA, such as FIDO2 hardware keys, experience a near-zero rate of MFA-based account compromise.
Standard push-based MFA, without number matching or rate limiting, remains vulnerable to fatigue attacks regardless of vendor.
Why Professional MFA Implementation Is a Business-Critical Investment
Many organizations deploy MFA through their existing software vendors, Microsoft 365, Google Workspace, Okta, without a strategic implementation plan. They check a box. Attackers check their watch.
Professional MFA implementation means:
- Selecting the right MFA methods for each user group and risk profile (FIDO2 for admins, number-match push for general staff
- Configuring identity platforms (Entra ID, Okta, Duo) with security-hardened policies from day one
- Integrating MFA with Zero Trust, SIEM, and endpoint detection platforms
- Training employees with role-specific scenarios, not generic e-learning
- Building incident response playbooks for detected MFA fatigue events
- Performing regular red team exercises simulating push bombing and vishing attacks
The cost of a professional MFA implementation is a fraction of the average cost of a data breach, which now exceeds $4.88 million in North America according to IBM’s 2024 Cost of a Data Breach Report.
The question isn’t whether you can afford professional MFA implementation. It’s whether you can afford not to have it.
Conclusion: MFA Is Not Enough. The Right MFA Implementation Is.
MFA fatigue attacks represent a fundamental shift in how hackers operate. They’ve stopped fighting technology and started fighting people. And people, without the right training, tools, and configurations in place, will eventually make a mistake.
The good news: this threat is entirely preventable. Organizations that implement phishing-resistant MFA, enforce number matching, rate limit push requests, train their teams, and monitor in real time are not getting breached this way. The Cloudflare case proved it. The Cisco and Uber cases proved the cost of ignoring it.
Your MFA strategy is not a checkbox. It’s a living, breathing security control that needs expert implementation, continuous monitoring, and regular updates.
The question is simple: Is your organization protected, or just compliant?
