Introduction
As organizations and individuals increasingly rely on multi-factor authentication (MFA) to protect online accounts, a newer form of cyberattack has emerged that exploits not a software flaw, but human behavior itself. This form of attack is known as an MFA fatigue attack, sometimes also called MFA bombing or MFA push spam. Instead of technically breaking the authentication system, attackers try to trick users into approving fraudulent login requests by overwhelming them with repeated authentication prompts. As push-based MFA becomes more common across enterprise systems, cloud applications, and consumer services, MFA fatigue attacks are rising, making it essential to understand how they work, why they are effective, and how to defend against them.
What Is Multi-Factor Authentication (MFA)?
Before explaining an MFA fatigue attack, it’s important to understand what MFA itself is. Multi-factor authentication is a security process that requires users to provide two or more types of verification before gaining access to a system. Common factors include: something you know (like a password), something you have (like a mobile device), and something you are (like a fingerprint). MFA adds a crucial second layer of defense beyond just a password, making unauthorized access significantly harder.
While MFA greatly improves security compared to single-factor methods, attackers have found ways to exploit the user interaction step — and that’s where MFA fatigue attacks come in.
What Is an MFA Fatigue Attack?
An MFA fatigue attack is a type of social engineering cybersecurity attack where attackers repeatedly send authentication prompts — such as push notifications or MFA approval requests — to a user’s device. The attacker’s goal is not to hack the MFA system itself, but to wear down or confuse the user until they eventually approve a fraudulent authentication request out of frustration or confusion.
Because the attack relies on human psychology rather than breaking technical controls, it is particularly effective against push-based MFA implementations that simply ask the user to “Approve” or “Deny” a login attempt without additional contextual information.
How MFA Fatigue Attacks Work
MFA fatigue attacks typically unfold in several stages:
1. Credential Compromise
Before launching an MFA fatigue attack, attackers first need the user’s login credentials — usually a username and password. These can be obtained through phishing emails, credential stuffing (using leaked passwords), malware, or even purchasing stolen credentials from underground marketplaces.
2. Triggering MFA Push Notifications
Once an attacker has valid credentials, they attempt to log in to the victim’s account. Because MFA is enabled, this first triggers a push notification or authentication request to the user’s registered device. The attacker then repeats the login attempt many times, generating a flood of MFA requests.
3. Bombarding the User
The user begins receiving multiple MFA prompts — sometimes dozens or even hundreds of notifications — in a short period. This constant barrage is known as push bombing or spamming MFA requests.
4. Psychological Pressure and Fatigue
At first, users may ignore or deny the suspicious prompts. But as the notifications persist, frustration grows. Many users may eventually approve a request simply to stop the flood, especially if they assume the prompts are due to a technical glitch or legitimate system maintenance.
5. Account Compromise
If the user finally approves an MFA request — even by mistake — the attacker gains full access to the system or service. Once inside, the attacker can move laterally, download sensitive information, or use the access for further attacks.
Many successful MFA fatigue attacks also include a social engineering component, where attackers contact the victim directly (for example, posing as IT support) to convince them that the notification is legitimate.
Real-World Examples and Scenarios
Example 1: Work Email Compromise
An employee at a global company receives dozens of push notifications late at night on their authenticator app. Assuming it’s a system glitch or automated system check after a VPN update, they press “Approve” just to silence the alerts. The attacker now has access to their work email and internal cloud systems.
Example 2: Contractor MFA Fatigue
A contractor working with a major tech firm receives persistent login prompts to their account. Believing it’s routine IT maintenance communicated by their employer, they approve one of the requests — unwittingly granting attackers access to the corporate network, which can be exploited later.
In both scenarios, the attackers did not “break” the MFA system; they exploited human behavior under stress or confusion.
Why MFA Fatigue Attacks Are Growing
Several factors are driving the increased frequency of MFA fatigue attacks:
Wider adoption of push-based MFA means attackers have more opportunities to exploit approval notifications.
Remote and distributed workforces mean users receive MFA prompts outside normal business hours, which can make the messages seem less suspicious.
Human psychological factors — annoyance, confusion, and desire to stop notifications — make users more likely to approve prompts erroneously.
Because of these reasons, MFA fatigue attacks are becoming one of the most effective methods to bypass multi-factor authentication without needing advanced technical exploits.
Differences from Other MFA Bypass Techniques
Unlike credential stuffing (where many credential combinations are tried) or phishing (tricking users into entering credentials on fake sites), an MFA fatigue attack:
relies on repetitive push notifications, not technical vulnerabilities in the MFA system itself;
uses social psychology, not brute force;
often involves direct interaction with the real user, even if the attacker has stolen credentials.
Possible Risks and Consequences
If an MFA fatigue attack is successful, the potential consequences include:
Unauthorized access to email, cloud services, or corporate networks.
Data theft or leakage, including sensitive personal or corporate information.
Credential abuse, enabling further lateral movement within an enterprise environment.
Deployment of malware, ransomware, or further identity-based attacks.
Even accounts protected by MFA — traditionally seen as secure — can be compromised if the attack exploits human behavior.
How to Defend Against MFA Fatigue Attacks
1. Use Contextual or Number-Matching MFA
Rather than simple approve/deny notifications, use MFA that requires users to enter a matching number shown on the login screen, making mistyped approvals harder.
2. Limit Push Notifications
Configure systems to limit the number of MFA prompts within a set timeframe to prevent push bombing.
3. Educate and Train Users
Users should be trained to recognize unsolicited MFA requests and understand that multiple unexpected prompts are a red flag.
4. Use Phishing-Resistant MFA Methods
Implement stronger authentication methods such as hardware security keys, biometrics, or FIDO2, which are more resistant to push spam.
5. Monitor for Abnormal MFA Activity
Security teams should monitor for unusual patterns of MFA requests (e.g., many requests in a short time, logins outside normal hours) to detect and respond to potential attacks early.
Summary
An MFA fatigue attack is a social engineering tactic in which attackers repeatedly bombard a user with multi-factor authentication prompts — often via push notifications — hoping the user will eventually approve one out of annoyance, confusion, or fatigue. These attacks typically begin with stolen credentials and capitalize on human psychology rather than technical weaknesses in the authentication system. Once a user approves a fraudulent MFA request, attackers gain unauthorized access to accounts and systems, potentially leading to data breaches, credential abuse, or further cyberattacks. To defend against MFA fatigue attacks, organizations should adopt stronger MFA methods, train users to recognize suspicious approvals, limit push notification frequency, and closely monitor authentication activity.