
Blog Post
Passwords were once the primary method for securing online accounts—until threat actors found ways to systematically bypass them. From brute force attempts to password spraying, compromised credentials became all too common.
This led to the widespread adoption of multi-factor authentication (MFA), a critical step forward in securing access. But cybercriminals have adapted once again, now exploiting MFA itself through what’s known as “MFA fatigue attacks.”
Before diving into how these attacks work, let’s first revisit what MFA is and how it’s intended to function.
Multi-factor authentication adds a second layer of identity verification beyond the username and password. Instead of granting immediate access, the system sends a one-time code, link, or challenge to a second device—typically via text or email—that the user must act on to complete login.
Dive into the past, present, and future of cybersecurity with The State of Cybersecurity eBook.
MFA significantly reduces the likelihood of unauthorized access. If a threat actor steals login credentials, MFA can still stop them. That is, unless it’s weaponized against the user.
An MFA fatigue attack—also sometimes called prompt spamming, push spam, and authentication bombing—is not a particularly high-tech hacking approach. It's a form of social engineering, a relatively easy and cheap hacking tactic used to exploit the system’s biggest weakness: humans.
The attacker first obtains valid credentials for an account. They then bombard the user with repeated MFA requests until the person—out of annoyance, confusion, or fatigue—approves one of them, inadvertently granting access.
In some cases, attackers go further. In the Uber breach of 2022, for instance, an attacker obtained credentials leaked on the dark web and harassed an employee with repeated MFA prompts. After over an hour, the attacker contacted the user directly, posing as IT support and convincing him to approve the login attempt.
According to research, about one-third of companies have been targeted by MFA fatigue attacks.
Here’s why they’re so effective:
While these attacks are common, there are clear steps you can take to reduce risk and build stronger defenses.
As always, it starts with awareness.
Whether you must protect employees, customers, or both, education is a critical component of avoiding an MFA fatigue attack. You need to provide your team with information that explains:
The cyberattacks your team should know about plus best practices to defend effectively, all in one The Employee Handbook.
Training users to pause and question suspicious prompts can make all the difference. Receiving an MFA prompt for an account you're not currently trying to log in to, for example, is an immediate sign that something suspicious is going on.
MFA fatigue attacks work because they wear down the user with notification after notification. If your system allows someone to attempt to log in continuously and send multiple verification notifications without a limit, then it's incredibly vulnerable to this type of hack.
So, don't give attackers unlimited chances.
It's a good idea to configure services to limit login attempts and notification messages. Once you place a limit, hackers can’t hound your teams with notifications.
Often, setting limits requires locking an account after a certain number of attempts. For example, you may configure your system so a user can only attempt to log in three times before their account locks. Then, the system will either require a specific action, such as contacting tech support, or enforcing a waiting period before the user can attempt to log in again.
While both can be effective, requiring a specific action by the user to unlock the account is the better approach because it ensures the legitimate user is the only one who can unlock the account.
Most MFA systems send a generic message about clicking a link to log into the account. While this worked initially, the basic design is what allows MFA fatigue attacks to work so well. You can help prevent them by providing more information.
If the authentication notification includes details about where the request originated, that could be the red flag that exposes the attack. For example, if a company's employees all reside in New York, but an authentication email says the login attempt originated from California, that's also a clear sign of something suspicious.
You can customize the data that comes with a notice by providing the IP address and the device used for logging in. Including more information in the notification makes the user more likely to recognize if there's a problem.
Trusted devices are those a user has previously used to access the account. Many systems have a built-in option to implement trusted devices. Once a user confirms a device as trusted, any new or unfamiliar devices should trigger extra scrutiny—or be blocked entirely.
This works especially well when employees only log in from managed, company-issued hardware.
The most vulnerable option for MFA is having the user click a link to verify. Instead of just clicking a link, it's better to have the user do something only the legitimate account holder can do.
One example is number matching. When the user gets the notification on their secondary device, they receive a PIN they must enter on the login screen of the device originally used to authenticate and access the account.
You might also consider eliminating passwords altogether. Instead, when logging in, the user only enters their username to trigger the MFA system to send a notification. To grant access, the system may then require biometrics—fingerprints or facial scans—or a one-time temporary password that’s unique and valid for only one session.
These alternatives help shut the door on threat actors. Without the information in the notification message, they cannot possibly get into the account because the second step must occur on the login page on the device used to access the account. With a link-only verification, the scammer can be on a different device and still get access.
Some companies use security keys similar to one-time temporary passwords. Users receive the security key outside the system through a different device and use it whenever they log in. Because the security key changes every time, there is no way for a hacker to figure it out. An MFA fatigue attack cannot bypass it since it works outside of an MFA system.
Even with the best controls in place, human error can’t be eliminated. That’s why it's essential to layer proactive threat detection and response capabilities on top of MFA.
Field Effect MDR offers holistic, expert-managed cybersecurity to help you stay ahead of emerging threats. In addition to detecting and blocking abnormal activity indicating a threat is present, Field Effect MDR also proactively resolves weaknesses so that it’s harder for an attacker to compromise your systems in the first place.
MFA fatigue attacks aren’t going away—but they can be stopped. With smart configurations, continuous user education, and advanced monitoring through Field Effect MDR, you can secure systems against one of today’s most persistent threats.