MFA fatigue

MFA fatigue — also called push bombing or MFA prompt bombing — is a social-engineering technique in which an attacker who already holds a victim’s password triggers a flood of multi-factor authentication push notifications, hoping the victim will eventually tap Approve to make the noise stop or because they assume the prompt is legitimate.

The 2022 Uber intrusion is the canonical case: an attacker bought a contractor’s credentials on the dark web, hammered the account with Duo push prompts for over an hour, then contacted the victim on WhatsApp posing as IT support and convinced them to accept. From there the attacker pivoted into internal systems, Slack, and the bug-bounty platform. The pattern has since been adopted by Lapsus$, Scattered Spider, and a growing share of identity-driven breaches tracked in the Verizon DBIR.

Defining properties:

• Pre-condition: stolen credentials. Push bombing only works if the attacker can already initiate logins. The password layer has already failed.
• Volume + pretext. Raw spamming is often paired with a phone call, SMS, or chat message impersonating IT to lower the user’s guard.
• Targets push, not codes. TOTP one-time codes and FIDO2 hardware keys are immune by design — there is nothing to “approve.”
• Time-of-day signal. Many incidents fire prompts at 2-4 AM local time, betting on confusion.
• Bypasses awareness training. Annual modules don’t reach users at 3 AM; the knowledge-behavior gap is what the attacker is monetizing.

Mitigations follow a clear hierarchy: move from push-based MFA to number-matching, then to FIDO2 / passkeys, which are phishing- and bombing-resistant by construction. ANSSI and CISA both flag push fatigue as a top identity-attack pattern and recommend number-matching as the minimum baseline. Behavior-side mitigations matter too: users need a reflex — unexpected push = report, never approve — and that reflex is built by repeated contextual reminders, not by an annual slide deck.