Multi-factor authentication (MFA) has long been championed as one of the most effective defences against unauthorised access. By requiring a second form of verification beyond a password, MFA blocks the vast majority of automated credential attacks. Yet attackers are nothing if not resourceful, and a technique known as MFA fatigue — also called MFA bombing or push spam — has emerged as a disturbingly effective way to bypass this critical security layer.

TL;DR — Key Takeaways

  • Learn how MFA fatigue attacks exploit push notifications to bypass multi-factor authentication
  • What Is an MFA Fatigue Attack and why it matters for your security posture
  • Understand real-World Examples That Should Alarm Every Business

Visual Overview

flowchart LR
    A["Attacker Has Password"] --> B["Sends Repeated MFA Prompts"]
    B --> C["User Gets Frustrated"]
    C --> D["Approves to Stop Alerts"]
    D --> E["Attacker Gains Access"]

If your organisation relies on push-based MFA (the kind that sends an "Approve" or "Deny" prompt to an employee's phone), this article is essential reading. We will examine how MFA fatigue attacks work, review real-world breaches that exploited this weakness, and outline the practical defences every small business should implement today.

What Is an MFA Fatigue Attack?

An MFA fatigue attack begins after the attacker has already obtained a victim's username and password — typically through credential stuffing, phishing, or purchasing credentials from dark-web marketplaces. With valid credentials in hand, the attacker repeatedly attempts to log in, triggering a flood of push notifications on the victim's device.

The psychology is simple but effective. The victim's phone buzzes dozens, sometimes hundreds, of times — at all hours of the day and night. Eventually, through sheer exhaustion, confusion, or the mistaken belief that the system is malfunctioning, the victim taps "Approve." That single tap grants the attacker full access to the account.

The Attack Chain Step by Step

  1. Credential acquisition: The attacker obtains valid login credentials through phishing, data breaches, or password cracking.
  2. Repeated login attempts: Using automated tools, the attacker submits the credentials to the target service over and over, each attempt generating a push notification.
  3. Notification flooding: The victim's device is bombarded with approval requests — sometimes accompanied by social engineering via phone call, text, or messaging apps.
  4. Accidental or frustrated approval: The victim approves one of the requests, either by mistake, out of frustration, or because the attacker impersonates IT support and instructs them to accept.
  5. Account compromise: The attacker gains authenticated access and proceeds to move laterally, escalate privileges, or exfiltrate data.

Real-World Examples That Should Alarm Every Business

The Uber Breach (2022)

Perhaps the most widely publicised MFA fatigue attack targeted Uber in September 2022. A threat actor affiliated with the Lapsus$ group obtained an Uber contractor's credentials and then bombarded the contractor with push notifications for over an hour. When the push spam alone did not work, the attacker contacted the contractor on WhatsApp, impersonating Uber IT support and instructing them to approve the request. The contractor complied, and the attacker gained access to Uber's internal systems, including Slack, Google Workspace, and privileged dashboards.

The Uber incident demonstrated that even large, well-resourced organisations are vulnerable when MFA relies solely on simple push approvals without additional verification steps.

Cisco Breach (2022)

Around the same time, Cisco disclosed a breach in which attackers used a combination of voice phishing (vishing) and MFA fatigue to compromise an employee's personal Google account. Because the employee had synced their corporate credentials through the browser, the attacker was able to pivot into Cisco's VPN. The breach underscored how personal and corporate security boundaries often overlap in dangerous ways.

Microsoft 365 Campaigns

Security researchers have documented widespread MFA fatigue campaigns targeting Microsoft 365 environments throughout 2023 and beyond. These attacks often target small and medium-sized businesses that use the default Microsoft Authenticator configuration without number matching enabled, making them especially relevant to the organisations that read this blog.

Why Push-Based MFA Is Vulnerable

It is important to recognise that push-based MFA is still significantly stronger than passwords alone. However, the "simple approve" model introduces a fundamental weakness: it requires no cognitive engagement from the user. Tapping "Approve" requires no context about what is being approved, from where, or by whom.

Several factors compound this vulnerability:

  • Notification overload: Modern employees already receive hundreds of notifications daily, making it easy to act on one reflexively.
  • Lack of context: Basic push prompts show minimal information about the login attempt (location, device, time), if any at all.
  • Social engineering amplification: Attackers often combine push spam with phone calls or messages impersonating IT, dramatically increasing success rates.
  • No rate limiting: Many identity providers do not limit the number of push notifications sent in a given timeframe.
  • 24/7 attack window: Attackers deliberately time their bombardments for late at night or early morning, when victims are groggy and more likely to approve without thinking.

Defending Against MFA Fatigue: Practical Steps

1. Enable Number Matching

Number matching (sometimes called "number challenge") is the single most effective defence against MFA fatigue. Instead of a simple "Approve/Deny" prompt, the authentication screen displays a two-digit number that the user must enter in their authenticator app. This means the attacker — who can see the number on their screen — cannot complete the authentication without the victim actively reading and entering that specific number.

Microsoft made number matching the default for Authenticator in 2023, and most major identity providers now support it. If your organisation uses multi-factor authentication, verifying that number matching is enabled should be your first action after reading this article.

2. Implement Additional Context in Push Notifications

Configure your identity provider to display geographic location, IP address, and application name in push notifications. When a user in London sees a login attempt from a data centre in Eastern Europe, they are far less likely to approve it. This additional context transforms MFA from a reflexive tap into an informed decision.

3. Set Rate Limits and Lockouts

Configure your authentication system to limit the number of MFA prompts that can be sent within a defined period. After a threshold — say three unanswered prompts in five minutes — the account should be temporarily locked and the security team alerted. This prevents the bombardment that is essential to the attack's success.

4. Adopt Phishing-Resistant MFA

The strongest defence is to move beyond push notifications entirely. Phishing-resistant MFA methods include:

  • FIDO2/WebAuthn security keys: Physical hardware keys (such as YubiKeys) that use public-key cryptography and are immune to MFA fatigue, phishing, and man-in-the-middle attacks.
  • Platform authenticators: Built-in biometric authenticators like Windows Hello or Apple Face ID/Touch ID that are bound to specific devices.
  • Certificate-based authentication: Digital certificates stored on managed devices that verify both user and device identity.

For small businesses, FIDO2 security keys have become remarkably affordable — typically costing between $25 and $50 per key. When you consider the cost of a single breach, equipping every employee with a hardware key is a bargain.

5. Train Employees to Recognise and Report

Even with technical controls in place, employee awareness remains critical. Your security awareness training programme should cover:

  • What MFA fatigue attacks look like and why they work.
  • The absolute rule: never approve an MFA prompt you did not initiate.
  • How to report unexpected MFA prompts to the security or IT team immediately.
  • That legitimate IT support will never ask you to approve an MFA prompt over the phone.

Simulated MFA fatigue exercises — where the security team sends unexpected test prompts and monitors how employees respond — can be extremely effective at reinforcing this training.

6. Monitor for Anomalous Authentication Patterns

Implement monitoring that flags unusual authentication behaviour, such as multiple failed MFA challenges from a single account in a short period, login attempts from unusual locations or IP addresses, and logins at atypical hours. AI-powered threat detection tools can identify these patterns automatically and trigger alerts or account lockdowns before an attacker succeeds.

Building a Layered MFA Strategy

No single defence is sufficient. The most resilient organisations layer multiple protections:

  1. Strong password hygiene: Use unique, complex passwords managed by a business password manager to reduce the likelihood of credential theft in the first place.
  2. Phishing-resistant MFA: Deploy FIDO2 keys or platform authenticators for all privileged and high-risk accounts.
  3. Number matching: Enable number matching for any accounts that still use push-based MFA.
  4. Conditional access policies: Restrict logins based on device compliance, network location, and risk score.
  5. Continuous monitoring: Alert on and investigate anomalous authentication patterns.
  6. Employee training: Ensure every team member understands MFA fatigue and knows how to respond.

What to Do If You Suspect an MFA Fatigue Attack

If an employee reports receiving unexpected MFA prompts, treat it as a potential security incident:

  • Immediately deny all pending prompts and instruct the employee not to approve any further requests.
  • Reset the user's password since the attacker has already obtained it.
  • Review authentication logs for the affected account to determine the source and scope of the attack.
  • Check for any approved sessions that may indicate the attacker already gained access.
  • Revoke all active sessions for the compromised account.
  • Investigate lateral movement if any session was approved, and follow your breach notification procedures as appropriate.

The Future of MFA Attacks

As organisations adopt number matching and phishing-resistant MFA, attackers will continue to evolve. We are already seeing AI-powered social engineering tactics that combine MFA fatigue with highly convincing voice calls from deepfaked IT support staff. The arms race between defenders and attackers continues, but the fundamentals remain clear: eliminate simple push approvals, adopt phishing-resistant authentication wherever possible, and ensure your people are trained to recognise and resist these attacks.

MFA fatigue is not a failure of multi-factor authentication as a concept — it is a failure of the simplest implementation of it. By understanding the attack, hardening your configurations, and training your team, you can ensure that your MFA remains the powerful defence it was always intended to be.