AI SecurityBlogIdentity and Access ManagementSecurity
Blog4 minute read

How Attackers Are Utilizing MFA Fatigue In An Attempt To Gain Unauthorized Access To A Network

With Multi-Factor Authentication (MFA) adoption growing, attackers are turning to fatigue tactics to bypass protections. Learn how MFA bombing works, the signs to watch for, and how adaptive MFA and smart user responses can help prevent unauthorized access.

In this blog

  1. The current landscape of MFA adoption 
  2. Benefits of implementing adaptive MFA 
  3. What is MFA Bombing? 
  4. How MFA Bombing works 
  5.  How to recognize an MFA Bombing attack 
  6. Mitigate and respond to MFA Bombing attacks 

 The current landscape of MFA adoption 

The cyber landscape is rapidly evolving. Organizations are under constant pressure to secure systems and sensitive data. Threats are growing at an exponential pace, requiring businesses to be able to adapt and reinforce security measures.  

Multi-factor authentication (MFA) has become a foundational piece for cybersecurity strategies as an effective method to secure user access and mitigate several risks associated with credential theft. 

While MFA enhances security, it is not without challenges. Organizations often struggle with user adoption and overlook usability because they are too focused on security measures. This can result in end users bypassing MFA out of frustration.  

 Benefits of implementing adaptive MFA 

MFA, specifically adaptive MFA, plays a crucial part in fortifying an organization's defenses. 

The purpose of MFA is to provide an additional layer of security by requiring users to verify their identity. Multiple attributes (something you know, what you have and what you are) effectively authenticate that the end user is who they claim to be. Methods of verification include the use of passwords, one-time passcodes or biometrics. Compounding authentication factors helps to confirm the user and reduce the risk of a bad actor gaining unauthorized access. 

Adaptive MFA takes this a step further by assessing risk factors such as registered device type, location and behavioral analysis before allowing access. This approach minimizes friction for legitimate users and increases security by denying access when suspicious behavior is detected. 

 What is MFA Bombing? 

MFA Bombing, also known as MFA Fatigue, is a social engineering attack that exploits push-based authentication methods. The attack consists of a bad actor repeatedly sending MFA prompts to the targeted user's device, flooding them with notifications in an attempt to overwhelm the user and get them to click the prompt to allow access. Once the fatigued user grants the request, the attacker can gain access to the user account. 

 How MFA Bombing works 

Step 1: Credential theft—A bad actor will use tactics such as phishing, credential stuffing or a data breach in an attempt to obtain user credentials. 

Step 2: Spamming MFA request—After obtaining the user's credentials, the attacker will persistently send MFA push notifications to the targeted user's device. 

Step 3: Exploiting fatigue—The attacker attempts to create prompt fatigue by flooding the target with repeated MFA prompts, hoping the user will click the prompt that allows the request and grants access. 

Step 4: Account takeover—Once access has been acquired, the attacker can laterally move around the network in an attempt to extract data, elevate privileges, and cause damage to the organization. 

  How to recognize an MFA Bombing attack 

Patterns or indicators of a  suspected an MFA Bombing attack: 

  • An influx of unexpected MFA requests
  • Notifications appearing at odd hours or from unfamiliar locations
  • Users contacting the help desk to report confusion about repeated authentication prompts

 Mitigate and respond to MFA Bombing attacks 

  1. Use phishing-resistant authentication—Implement FIDO2-based authentication (e.g., passkeys, security keys) to reduce reliance on push notifications.
  2. Limit MFA prompt attempts – Set your policies to restrict the number of allowed MFA attempts within a given period.
  3. Enable number matching and contextual MFA—Require users to input a randomly generated number displayed on the login screen, reducing the risk of accidental approvals.
  4. End user education – Train employees to recognize and be cognizant that these types of attacks exist and instruct them to never approve unexpected requests.
  5. Monitor authentication logs – Continuously review login activity for suspicious patterns and unauthorized access attempts.
  6. Report and investigate – If a user MFA bombing attack occurs, users should report it immediately, and security teams should investigate the source of the login attempts.
  7. Document response plans - Define and document response procedures, specifying incidents that require further investigation and when to take immediate action.

Protecting against MFA Bombing requires a proactive approach that combines user awareness, security controls and advanced authentication methods. If you're interested in learning more, our experts are ready to help you harden your MFA security.