Multi-factor authentication fatigue

MFA fatigue (push bombing) is an attack technique targeting users who use push-notification multi-factor authentication (like a phone app that prompts “Do you approve this login?”). 

In an MFA fatigue attack, an adversary who has obtained a user’s password attempts to log in repeatedly, sending a flood of push approval requests to the user’s device. The goal is to wear down, confuse, or trick the user into eventually approving one of the prompts out of annoyance or by mistake. Essentially, the attacker turns the strength of MFA (requiring user approval) into a potential weakness by bombarding the user with auth requests hoping they’ll hit “Approve” just to stop the nuisance. 

This method has been used in real breaches where attackers, after stealing credentials, spam the victim with MFA requests and even sometimes contact the user pretending to be IT support urging them to approve.

How does it affect identity security?

MFA fatigue attacks exploit human behavior to undermine MFA’s protection. They highlight that while MFA is critical, user experience and education matter: a user overwhelmed by endless prompts might eventually click “Yes” out of confusion or fatigue, which defeats the purpose of MFA. This attack vector has gained prominence as more organizations adopt MFA – attackers adapt by attacking the user’s alertness. 

The importance for identity security is clear: it’s not enough to deploy MFA; one must also implement user-friendly and attack-resistant MFA methods. Many companies now use MFA solutions that incorporate “number matching” or additional context (e.g., the app shows a code the user must type into the login screen) to prevent blind approval. That way, the user can’t just approve without thinking – they have to match a number, stopping automated spam approvals. 

Additionally, user education is key: users should be trained that multiple unsolicited MFA prompts are a red flag and know to report it, not approve. The rise of push bombing led identity providers like Microsoft to roll out number matching by default in Azure MFA, and services like Duo to add fatigue-resistant settings. 

Case studies

The 2022 Okta breach (which impacted Okta’s subprocessor Sitel and several Okta customers) highlighted MFA fatigue in action. Attackers obtained a contractor’s VPN password for Sitel (which had access to Okta support tools) and then repeatedly tried to log in, sending a barrage of Okta Verify push notifications to the contractor’s phone. After many prompts, the contractor eventually approved one, thinking it might be an IT issue, which allowed the attackers into Okta’s support VPN. From there, they accessed Okta’s customer support portal and could potentially see client data. While Okta maintained the impact was limited, this breach was eye-opening industry-wide: it demonstrated how even tech-savvy employees at a company focused on identity security could be duped by MFA fatigue. In its aftermath, Okta accelerated rolling out number matching and user education around unexpected prompts. 

Another example involved Microsoft 365 accounts at a university: an attacker used stolen credentials to spam users with MFA approvals at odd hours. One fatigued user accepted, and the attacker created mailbox rules to forward copies of all the user’s emails externally (a common goal in phishing – to collect intel quietly). The compromise wasn’t discovered until weeks later. After this, the university enabled Azure AD’s “fraud alert” feature and trained staff that any surprise MFA prompt should be denied and security informed. 

‍

‍