MFA prompt bombing, also known as MFA fatigue attacks, exploits human psychology rather than technical vulnerabilities. Attackers who have already stolen credentials flood victims with dozens or hundreds of push notification authentication requests until users accidentally approve one or simply accept it out of frustration. This technique has been successfully used in high-profile breaches including Uber, Cisco, and Microsoft, demonstrating that even security-conscious organizations remain vulnerable. Organizations must implement number matching, rate limiting, and behavior-based authentication controls to effectively counter this threat.
Introduction
Multi-factor authentication was supposed to solve the credential theft problem. Organizations invested millions implementing MFA solutions, confident they’d finally closed the door on password-based attacks. Yet attackers have found a remarkably simple workaround that requires no sophisticated exploits or zero-day vulnerabilities—just persistence and an understanding of human nature.
MFA prompt bombing turns your security control into a weapon against your own users. By flooding victims with authentication requests at all hours, attackers create a scenario where the path of least resistance is approval. A single moment of weakness, confusion, or frustration becomes the entry point for complete account compromise.
This attack vector represents a fundamental challenge to push-based authentication systems and highlights why security controls must account for human factors, not just technical ones.
Background & Context
Push notification-based MFA became popular because it offered convenience without sacrificing security—or so we thought. Instead of typing codes from authenticator apps or hardware tokens, users simply tap “approve” when logging in. The friction is minimal, adoption rates are high, and help desk calls decrease.
The first documented MFA fatigue attacks appeared around 2019, but the technique gained widespread attention in 2022 when the Lapsus$ hacking group and other threat actors began using it systematically. The attack against Uber in September 2022 brought MFA prompt bombing into the mainstream security conversation when an attacker reportedly harassed an employee with repeated MFA prompts before contacting them via WhatsApp, posing as IT support.
The attack follows a simple pattern: attackers obtain valid credentials through phishing, malware, credential stuffing, or purchasing them from underground markets. With username and password in hand, they initiate login attempts repeatedly, triggering MFA prompts on the victim’s device. The bombardment continues—sometimes dozens of requests in minutes—until the user makes a mistake.
What makes this attack particularly insidious is that it exploits several psychological factors simultaneously: alert fatigue, the desire to stop annoying notifications, confusion about why prompts are appearing, and the assumption that the system must be malfunctioning rather than under attack.
Technical Breakdown
The attack sequence typically unfolds as follows:
Initial Compromise:
Attackers acquire valid credentials through various means—phishing campaigns, info-stealer malware, credential dumps, or social engineering. These credentials are tested against target applications that use push-based MFA.
Bombardment Phase:
Using automated scripts, attackers initiate rapid authentication attempts. Each attempt triggers a push notification to the victim’s registered device. A typical attack might generate 20-100 prompts within a short timeframe:
# Simplified illustration of automated login attempts
for i in {1..50}
do
curl -X POST https://target.com/api/auth \
-d "username=victim@company.com" \
-d "password=compromised_password" \
-H "Content-Type: application/x-www-form-urlencoded"
sleep 2
donePsychological Exploitation:
The timing of attacks is often strategic—late at night, early morning, or during busy work periods when users are distracted. Some attackers alternate between bursts of prompts and quiet periods to confuse victims about whether the issue has been resolved.
Social Engineering Enhancement:
Sophisticated attackers combine prompt bombing with direct contact. After initiating prompts, they call or message the victim posing as IT support, claiming there’s a “system issue” that requires approving a notification to resolve. This dual-channel approach dramatically increases success rates.
Session Hijacking:
Once a victim approves a single prompt, attackers gain authenticated access. They immediately register their own MFA device, change account recovery options, or establish persistence mechanisms to maintain access even if the victim later becomes suspicious.
Impact & Risk Assessment
The business impact of successful MFA prompt bombing attacks extends far beyond simple account compromise:
Immediate Access:
Attackers gain legitimate authenticated access to corporate resources, appearing as the compromised user in logs and security systems. This makes detection significantly more challenging than traditional unauthorized access attempts.
Lateral Movement:
Once inside, attackers leverage the compromised account’s permissions to access sensitive data, pivot to other systems, and escalate privileges. The Cisco breach in 2022 demonstrated how initial access through MFA fatigue led to extensive network reconnaissance and data exfiltration.
Data Exfiltration:
With authenticated access, attackers can access customer data, intellectual property, financial information, and strategic documents. The activities blend with normal user behavior, defeating many detection systems.
Reputational Damage:
Organizations that fall victim to attacks despite implementing MFA face questions about their security posture. The revelation that “we had MFA enabled” provides little comfort when breaches still occur.
Regulatory Consequences:
Depending on the data accessed, organizations may face GDPR, HIPAA, PCI-DSS, or other regulatory violations. MFA implementation doesn’t absolve organizations of responsibility when controls prove inadequate.
The attack requires minimal technical sophistication, making it accessible to a wide range of threat actors. The success rate varies but reports suggest 5-20% of targeted users eventually approve a fraudulent prompt when subjected to sustained bombardment and social engineering.
Vendor Response
Major identity providers have responded to MFA prompt bombing with varying degrees of urgency and effectiveness:
Microsoft introduced number matching in their Authenticator app, requiring users to type a number displayed on the login screen into their mobile device. This prevents blind approval of prompts and significantly raises the attack difficulty.
Duo Security implemented several countermeasures including number matching, push verification, and anomaly detection that flags unusual authentication patterns. Organizations can now require users to confirm specific details about login attempts.
Okta added context-aware authentication, displaying the originating location, device type, and application requesting access. Users can make more informed decisions about whether approval is legitimate.
Google has promoted their built-in security features including impossible travel detection and device verification, though prompt bombing specifically targeting Google accounts remains possible with default configurations.
However, these improvements often exist as optional features rather than mandatory defaults. Organizations must actively enable enhanced protections, and many remain unaware of the risks or haven’t prioritized implementation.
Mitigations & Workarounds
Organizations should implement multiple layers of defense against MFA prompt bombing:
Enable Number Matching:
Configure identity providers to require number matching or similar verification mechanisms. This single change dramatically reduces attack success rates:
Azure AD/Entra ID:
- Navigate to Security > Authentication methods > Microsoft Authenticator
- Set "Require number matching" to Enabled
- Set "Show application name" to Enabled
- Set "Show geographic location" to Enabled
Implement Rate Limiting:
Configure authentication systems to limit the number of MFA prompts sent within specific timeframes. After 3-5 failed attempts, implement increasing delays or temporary lockouts.
Deploy Behavior Analytics:
Utilize User and Entity Behavior Analytics (UEBA) to detect anomalous authentication patterns—multiple prompts in short periods, attempts from unusual locations, or authentication requests during off-hours.
Restrict Authentication Sources:
Implement conditional access policies that restrict authentication attempts based on:
- Geographic location
- Known device requirements
- Network source (corporate VPN, trusted IPs)
- Time-of-day restrictions
User Education:
Train users to recognize MFA prompt bombing attacks. Establish clear protocols: never approve unexpected prompts, report bombardment immediately, and verify any IT contact through independent channels.
Detection & Monitoring
Security teams should establish monitoring for indicators of MFA prompt bombing:
Authentication Log Analysis:
Monitor for patterns indicating prompt bombing attempts:
-- Example query for detecting multiple MFA prompts
SELECT user_id, COUNT(*) as prompt_count,
MIN(timestamp) as first_prompt,
MAX(timestamp) as last_prompt
FROM mfa_events
WHERE event_type = 'push_sent'
AND timestamp > NOW() - INTERVAL '1 hour'
GROUP BY user_id
HAVING COUNT(*) > 5
ORDER BY prompt_count DESC;Alert Triggers:
Configure SIEM rules to alert on:
- More than 5 MFA prompts to a single user within 10 minutes
- MFA prompts outside normal working hours
- Authentication attempts from new geographic locations
- Multiple denied prompts followed by an approval
Response Procedures:
Establish automated responses to suspected attacks:
- Temporarily suspend the targeted account
- Alert the user through out-of-band communication
- Notify security operations for investigation
- Review recent account activity for compromise indicators
Best Practices
Beyond specific technical controls, organizations should adopt comprehensive authentication strategies:
Adopt Phishing-Resistant MFA:
Transition to FIDO2/WebAuthn hardware security keys or certificate-based authentication for privileged accounts. These cryptographic methods resist phishing and prompt bombing entirely.
Implement Conditional Access:
Don’t rely on MFA alone. Combine it with device compliance checks, location verification, and risk-based authentication to create defense in depth.
Establish Security Culture:
Create an environment where reporting suspicious activity is encouraged and easy. Users should feel comfortable immediately reporting MFA bombardment without fear of blame.
Regular Security Assessments:
Periodically test authentication controls through red team exercises and penetration testing. Specifically simulate prompt bombing to verify detection and response capabilities.
Privileged Account Protection:
Apply the strongest authentication requirements to administrative and privileged accounts. Consider requiring hardware tokens exclusively for high-value accounts.
Incident Response Planning:
Develop specific procedures for responding to suspected MFA fatigue attacks, including account isolation, credential rotation, and forensic analysis.
Key Takeaways
- MFA prompt bombing exploits human psychology rather than technical vulnerabilities, making it effective even against security-aware organizations
- The attack requires only stolen credentials and persistence, giving low-skilled attackers access to a powerful technique
- Number matching and similar verification mechanisms effectively neutralize basic prompt bombing attempts
- Detection requires monitoring authentication logs for unusual patterns and implementing behavior analytics
- Push-based MFA alone is insufficient for high-value accounts; phishing-resistant methods like FIDO2 provide superior protection
- User education remains critical—employees must understand the attack and know how to respond when targeted
- Organizations should assume credential compromise will occur and layer additional controls around authentication
References
- Microsoft: “Defend your users from MFA fatigue attacks” – https://www.microsoft.com/en-us/security/blog/2022/05/13/defend-your-users-from-mfa-fatigue-attacks/
- Cisco Talos: “Recent cyber attack on Cisco” – https://blog.talosintelligence.com/recent-cyber-attack/
- CISA: “Multi-Factor Authentication (MFA)” – https://www.cisa.gov/mfa
- Duo Security: “Guide to Multi-Factor Authentication” – https://duo.com/resources/ebooks/guide-to-multi-factor-authentication
- NIST Special Publication 800-63B: Digital Identity Guidelines – https://pages.nist.gov/800-63-3/sp800-63b.html
Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/
