Cloudavize is your trusted managed service provider for customized IT solutions and support services, designed to meet all your business needs, ensuring seamless operations, optimal performance, and sustainable growth.

Working Hours

The “MFA Fatigue” Threat: Protecting Your Staff from Prompt-Bombing Attacks

  • Home
  • Technical
  • The “MFA Fatigue” Threat: Protecting Your Staff from Prompt-Bombing Attacks
The MFA Fatigue Threat Protecting Your Staff from Prompt-Bombing Attacks
Cody Sukosky

Article summary: MFA fatigue attacks, also called prompt bombing, overwhelm users with repeated login approvals until someone taps “approve” out of frustration or distraction. They work when attackers already have a valid password and the organization relies on push-based MFA prompts. Businesses can close the gap by upgrading authentication methods, tightening sign-in policies, and training staff to treat unexpected prompts as a security incident.

MFA fatigue attacks, and the cybersecurity awareness gaps they expose, are now behind some of the most damaging breaches of the past few years.

The mechanics are simple. 

An attacker already has a valid username and password, bought from a dark web marketplace or harvested through phishing. Push-based MFA protects the account, so they can’t log in without your approval. Their solution: send dozens, sometimes hundreds, of push notifications until the user gives in.

It doesn’t require any hacking. It just requires the right employee to be tired, distracted, or confused at the wrong moment.

How a Prompt-Bombing Attack Actually Unfolds

The attack begins well before the first notification arrives.

At some point, employee credentials were compromised. Maybe through a phishing email, a data breach at a third-party site, or an infostealer infection on a personal device. The attacker now has a username and password. What they need next is the MFA approval.

So, they trigger a login attempt. 

The employee’s phone lights up with an approval request. The employee ignores it. The attacker tries again. Then again. The notifications keep coming at odd hours: 11 pm, 2 am, during a meeting, during school pick-up. The goal is to find the moment the employee’s guard is lowest.

In some cases, a follow-up call makes the approach even more effective. 

The attacker phones the employee posing as IT support and says something like: “We’re seeing an alert on your account. Just approve the notification and we’ll sort it out from there.” 

The 2022 Uber breach followed this pattern closely. After obtaining an employee’s credentials, the attacker flooded the employee with MFA push notifications and then contacted them while posing as Uber IT. When the employee approved the request, the attacker gained access to Uber’s network and was able to locate high-privilege credentials that provided broad access to the company’s internal systems.

Microsoft research identified over 382,000 MFA fatigue attacks in a single 12-month period. It found that 1% of users will blindly approve the very first unexpected push notification they receive.

Why Push-Based MFA Creates the Opening

Not all MFA methods are equally vulnerable to this attack. 

The problem is specific to push notifications. This is where a login attempt on a laptop or browser sends an approval request to a mobile device. The user sees a prompt that says something like “Are you signing in?” and taps yes or no.

Push notifications were designed to be fast and frictionless. That’s also what makes them exploitable. There’s nothing for the attacker to intercept or forge. They simply need the user to tap the wrong answer.

Time-based one-time passcodes (TOTP), the six-digit codes generated by authenticator apps, are structurally resistant to this attack. 

The attacker can’t trigger anything on the user’s device. There’s no prompt to approve, no notification to dismiss. FIDO2/WebAuthn security keys go further still: they bind authentication cryptographically to the actual domain, making it impossible for an attacker to replay a session. 

CISA describes phishing-resistant MFA as the most secure form of multifactor authentication and strongly urges organizations to adopt it. For organizations that still rely on push notifications, CISA recommends safeguards such as number matching to reduce the risk of MFA fatigue attacks.

According to the 2025 Verizon Data Breach Investigations Report, prompt bombing attacks appeared in 14% of social engineering incidents. The same report found a human element involved in roughly 60% of breaches. MFA fatigue attacks sit at that intersection, exploiting a technical control by relying on human behavior to succeed. 

Four Things That Reduce Your Exposure

1.) Enable number matching on push-based MFA

If you can’t move away from push notifications immediately, number matching is the most effective near-term control. 

With number matching enabled, users must enter a number displayed on the login screen before approving the sign-in request in their authenticator app.

This adds context to the approval process and helps prevent MFA fatigue attacks. An employee who receives an unexpected prompt cannot approve it unless they can see the matching number on the legitimate sign-in screen.

Microsoft Authenticator, Okta, and Duo all support number matching. If you’re not using it, enabling it should be the first step you take this week.

2.) Limit push notification attempts

Most modern identity platforms provide safeguards against excessive authentication requests. Set limits on how many push notifications can be sent within a specific time window, and establish rules that lock or flag accounts after a defined number of failed attempts. These controls can significantly reduce the effectiveness of MFA fatigue attacks.

Automated attacks depend on volume. Removing the volume removes the attack’s primary lever.

3.) Move high-risk accounts to phishing-resistant MFA

For accounts with admin access, access to financial systems, or access to sensitive client data, push-based MFA should not be the default. 

FIDO2 security keys, such as a YubiKey, generate a cryptographic response tied to the exact domain being accessed. Even if an employee is social-engineered into “approving” something, the key won’t authenticate to a domain it wasn’t enrolled in. 

Our endpoint and identity security services cover phishing-resistant MFA rollout for exactly these scenarios.

4.) Train employees before an attack, not after

Employees who understand what prompt bombing looks like are far harder to manipulate. 

They need to know two things: 

  1. They should never approve an MFA request they didn’t personally initiate
  2. An unexpected flood of prompts is a signal that credentials have been compromised. 

They should deny the requests, lock the account if possible, and report it immediately.

Security awareness training that covers MFA specifically, not just phishing in general, is one of the highest-return investments available. One employee who knows what to do when the prompts start arriving can prevent the breach entirely.

Ready to Close the MFA Gap?

Push-based MFA is still far better than no MFA at all. But it’s no longer sufficient on its own for accounts that carry real risk.

If you’d like help reviewing your current MFA configuration, identifying which accounts need stronger controls, and rolling out phishing-resistant authentication where it matters most, we can build you a practical plan.

Reach out to Cloudavize at (469) 250-1667, email info@cloudavize.com, or contact us online to start the conversation.

Article FAQs

What is an MFA fatigue attack?

An MFA fatigue attack, also called prompt bombing, is a social engineering tactic where an attacker who already has a user’s password repeatedly sends push notification approval requests to their device, hoping the user will eventually tap approve out of confusion or frustration. It bypasses multi-factor authentication without any technical hacking.

What is number matching and how does it help?

Number matching requires the user to enter a number displayed on the sign-in screen into their authenticator app before approval is granted. This means an employee can’t approve a rogue request without physically seeing what number appears on the login screen.

What is phishing-resistant MFA?

Phishing-resistant MFA uses cryptographic methods, such as FIDO2 security keys or passkeys, which bind authentication to the actual domain being accessed. Even if a user is manipulated into approving something, the key won’t authenticate to a domain it wasn’t registered for.

What should an employee do if they receive unexpected MFA prompts?

Deny the request immediately. Do not approve any MFA prompt you did not initiate yourself. Report the unexpected prompts to your IT team right away, as they are a strong indicator that your password has been compromised. Your IT team should lock the account and change the credentials before the attacker tries a different approach.

Recent Post

Leave A Comment

Your email address will not be published. Required fields are marked *

    Get IT Services Quote

    "*" indicates required fields

      Leave a Message

      We’re Ready To Help You