Introduction
Multi-factor authentication (MFA) has become a cornerstone of modern security. By requiring users to prove their identity with something beyond a password — such as a code, biometric, or push notification — MFA dramatically reduces the risk of account takeover.
But attackers have adapted. A rising threat known as MFA fatigue (sometimes called MFA bombing) takes aim not at the technology, but at the human element behind it.
In this post, we’ll break down what MFA fatigue is, why it works, and how organizations can defend against it.
What is MFA Fatigue?
MFA fatigue occurs when an attacker repeatedly bombards a user with MFA requests, hoping to wear them down until they approve one.
For example:
A hacker steals an employee’s username and password.
They attempt to log in dozens (or hundreds) of times.
Each attempt triggers a push notification or code request to the employee’s phone.
Eventually, the employee — annoyed, distracted, or assuming it’s a system glitch — clicks approve.
That single slip gives the attacker full access to the account.
Why MFA Fatigue Works
MFA fatigue is powerful because it preys on human behavior:
Alert overload: Employees already get flooded with notifications. A few more may not raise alarm.
Automation tools: Attackers can script login attempts, sending hundreds of MFA requests in minutes (Microsoft Security Blog).
Conditioning: Users often approve pushes reflexively, without checking location or device context (NIST Digital Identity Guidelines).
Social engineering: Some attackers follow up with phone calls or texts, pretending to be IT support.
High-profile incidents — such as the 2022 Uber breach — demonstrate just how effective this tactic can be.
Real-World Impact
Uber (2022): Attackers spammed an employee with MFA requests, then messaged them on WhatsApp pretending to be IT. The worker eventually approved a prompt.
Microsoft Customers (2023): Campaigns abusing MFA fatigue were reported against enterprise Office 365 tenants (Proofpoint analysis).
Okta (2023): Even identity providers weren’t immune, confirming MFA fatigue attacks targeted their users (Okta Blog).
The lesson: if your organization relies only on push-based MFA, you are vulnerable.
How to Defend Against MFA Fatigue
Adopt phishing-resistant MFA
Use FIDO2 security keys, passkeys, or WebAuthn where possible.
These methods require physical possession and can’t be bypassed with repeated prompts.
Enable number matching
With number matching, users must type a code from the login screen into their app, making blind approvals harder.
Educate employees
Train staff to recognize MFA fatigue attacks. Reinforce: multiple unexpected MFA requests = red flag.
Encourage users to report suspicious prompts immediately.
Monitor for anomalies
Set alerts for spikes in failed MFA attempts, unusual login patterns, or push requests outside business hours.
Shut down legacy access paths
Disable protocols like IMAP/POP3 and audit OAuth permissions. Attackers often exploit weaker authentication routes to get around MFA (Microsoft 365 basic auth deprecation).
Key Takeaways
MFA fatigue is a social engineering attack, not a flaw in MFA itself.
Attackers count on user frustration and alert fatigue to succeed.
Phishing-resistant MFA, user awareness, and adaptive monitoring are the strongest defenses.
Conclusion
MFA fatigue highlights an uncomfortable truth: even the best security controls can be undone by human error. For CISOs and IT leaders, the solution isn’t to abandon MFA — it’s to evolve.
By combining phishing-resistant authentication methods, smarter policies, and well-trained employees, organizations can stay ahead of attackers who rely on persistence and manipulation.
📩 Want more practical CISO guidance?
Subscribe to The CyberSignal Weekly for the latest cybersecurity news and practical CISO guidance each week, or The CyberSignal Daily for daily insights.
❓ FAQ: MFA Fatigue
What exactly is MFA fatigue?
It’s when attackers overwhelm users with repeated MFA prompts until they approve one out of annoyance or confusion.
Is push-based MFA unsafe?
Not inherently. Push MFA is effective, but it’s exploitable without safeguards like number matching or contextual prompts.
How can I tell if my organization is under attack?
Look for spikes in MFA prompts, multiple failed approvals, or unusual login attempts (e.g., logins from foreign IPs).
What’s the best long-term defense?
Phishing-resistant MFA methods such as passkeys or security keys, combined with adaptive authentication and user training.
Is SMS MFA a safe fallback?
No. SMS is highly vulnerable to SIM swap attacks and interception. If you must use it, restrict it to low-value accounts and push to adopt passkeys or keys instead.