MFA fatigue attacks: Understanding, preventing, and combating them

Rohit Jain
7 min read
Articles

TLDR: What an MFA fatigue attack is and how to stop it fast

An MFA fatigue attack (often called push bombing) is when attackers spam repeated MFA approval prompts until someone accepts one—by mistake or just to make it stop. The quickest defense is to deny every unexpected prompt, report immediately, and move away from simple “Approve/Deny” pushes toward OTP/TOTP, number matching, and risk-based controls.

What is an MFA fatigue attack?

An MFA fatigue attack is a social engineering tactic that exploits user behavior, not a software bug. Attackers bombard a user with repeated authentication requests, hoping frustration or confusion leads the user to approve a login they didn’t initiate. These attacks are most common when MFA uses push-notification approvals for convenience.

In simple terms: the attacker can’t break MFA, so they try to wear the human down.

Types of authentication factors

To understand MFA Fatigue Attacks, let's quickly review the three main types of authentication factors:

  1. Something you know (like passwords or PINs)

  2. Something you have (like mobile devices or security tokens)

  3. Something you are (like fingerprints or facial recognition)

MFA Fatigue Attacks usually target the second type, especially mobile devices which are used for approving push notifications.

How do MFA fatigue attacks start?

1. Initial breach and compromise

MFA Fatigue Attacks don't happen in isolation. They're often part of a larger attack strategy. It usually starts with:

  • Phishing emails to steal login credentials

  • Buying stolen credentials from the dark web

  • Exploiting system vulnerabilities

2. Use of stolen credentials

Once attackers have a user's login info, they're ready to launch the MFA Fatigue Attack. They use the stolen credentials to start login attempts, triggering the MFA process.

3. Sending MFA push notifications

This is where the "fatigue" part comes in. Attackers repeatedly trigger login attempts, flooding the user's device with push notifications.

4. Victim response and attack success

The hope is that the victim, overwhelmed by notifications, will eventually approve one – either by accident, or just to make them stop. Once approved, the attacker gains access to the account.

Recognizing the signs of MFA fatigue attacks

Knowing what to look for can help spot MFA Fatigue Attacks before they succeed. Here are some common red flags:

1. Frequent authentication requests

If you're suddenly bombarded with push notifications asking you to approve a sign-in, especially when you’re not logged in or are actively working on the app, is a warning sign.

2. Requests without prior login attempts

You would not have logged into an app or your account for quite some time, but suddenly, you receive a push notification to authenticate a login request. This is a sign that someone else is trying to gain access to your account.

3. Unrecognized geographical locations

Most MFA-based login requests will mention the geographical location from where the user (normally you) is trying to access their account. If you receive a login request from a different geographic location, chances are someone from a different part of the world is attempting to gain access to your account.

Real-life examples of MFA fatigue attacks

Uber (2022)

In September 2022, Uber fell victim to a sophisticated MFA Fatigue Attack. A hacker targeted an employee with repeated MFA requests for over an hour. They even sent a WhatsApp message posing as Uber IT support, telling the employee to accept the request to make them stop. This gave the attacker access to Uber's internal systems, causing significant disruption.

MGM and Caesar's (2023)

In September 2023, both MGM Resorts and Caesars Entertainment were hit by cyberattacks involving MFA Fatigue tactics.

The attacks led to major disruptions in hotel operations. MGM faced an estimated $100 million in costs, while Caesars reportedly paid a $15 million ransom.

Cisco (2022)

Cisco experienced a breach where attackers used voice phishing and MFA Fatigue techniques to compromise an employee's personal Google account. The attackers bombarded the employee with push notifications and even made voice calls posing as trusted organizations. Once they gained access, they were able to move within Cisco's corporate network.

Strategies to prevent MFA fatigue attacks

Protecting against MFA Fatigue Attacks requires a multi-layered approach. Here are some key strategies:

1. Strengthen password management

Use strong, unique passwords for all the apps and services you use. The best way to achieve this is by using a password manager that can help create and store complex passwords securely.

2. Use OTP-based MFA

Instead of choosing MFA as a secondary authentication method, you can choose One-Time Passwords (OTPs). They are more secure than push notifications, as they require active input from the user.

3.Implement adaptive authentication

This approach analyses factors like device, location, and user behaviour to determine the level of authentication required for each login attempt.

Here’s where an opti-channel platform like Fyno can help. It can analyse user preferences and behavior and send authentication requests or OTPs to the channel that they’ll most likely be using at that moment.

4. Restrict user access

Limit user access rights to only what's necessary for their role. This minimizes potential damage if an account is compromised.

5. Adopt risk-based authentication

Assign risk scores to login attempts based on various factors. Higher-risk logins require additional verification steps.

6. Disable push notification as a verification method

Consider using more secure methods like number matching or time-based one-time passwords (TOTP) instead of simple "Approve" or "Deny" push notifications.

The best way to achieve this by encouraging users to use an Authenticator app that uses the TOTP method for authentication.

Enhancing security protocols without overwhelming users

While robust security is crucial, it's important to balance it with user experience. Here's how:

1. Improve user education

Regular training on security best practices and how to recognize MFA Fatigue Attacks can significantly boost your defense.

2. Promote strong password hygiene

Encourage the use of password managers and regular password updates.

3. Encourage a culture of security

Foster an environment where security is everyone's responsibility. Encourage employees to report suspicious activities.

4. Limit MFA request frequencies

Set how many times a push notification-based MFA request is sent to a user at a given time. This will keep your users safe and at the same time won’t give a lot of leverage for the attackers.

Advanced prevention measures

For organizations looking to further enhance their security posture:

1. Enable additional context in MFA requests

Provide users with additional information about login attempts, such as the location and device being used. You can also use AI to warn them if you think the attempt comes from a device or location that’s different from the ones they use.

2. Use physical security keys

Hardware-based security keys can provide an extra layer of protection against MFA Fatigue Attacks. You can use it to protect the accounts of those who have the highest security clearance at your company, like the IT admins.

3. Regularly review account sessions

Implement tools to monitor and review active sessions, allowing quick detection and termination of unauthorized access.

4. Adopt a zero-trust approach

Assume no user or device is trustworthy by default. Verify every access attempt, regardless of its origin.

How Fyno helps combat MFA fatigue attacks

At Fyno, we understand the challenges of balancing security with user experience. Our platform offers several features to help protect against MFA Fatigue Attacks:

  1. Centralized management: Fyno provides a unified hub for managing all your OTPs and push notification-based MFA requests, rather than you having to use multiple platforms to manage them. Having all your customer data, content, and workflows reduces the incidents of security breaches.

  2. Robust security measures: Fyno doesn’t expose critical user information to anyone. We have intelligent masking and hashing mechanisms in place to make sure that nobody gains access to your user data. We also use push token cleanup to remove outdated push tokens, making life difficult for attackers who are trying to exploit the vulnerability.

  3. Intelligent routing: Our system analyses user behavior and patterns, and intelligently routes authentication requests to the channels they’ll most likely use, reducing the likelihood of MFA fatigue attacks behavior and risk levels.

  4. Analytics and insights: Gain valuable data on authentication patterns to identify and respond to potential threats quickly.

  5. User preference management: Allow users to set their preferred notification channels and frequencies, which prevents you from using push notification-based MFA as a default secondary authentication method.

Conclusion

The Importance of vigilance and proactive measures

MFA Fatigue Attacks are a growing threat in the cybersecurity landscape. By understanding how these attacks work and implementing robust prevention strategies, organizations can significantly reduce their risk. Remember, security is an ongoing process that requires constant vigilance and adaptation.

Leveraging Fyno for robust security solutions

In the fight against MFA Fatigue Attacks and other cyber threats, having the right tools is crucial. Fyno.io offers a comprehensive platform that enhances your security posture and improves the overall user experience. By centralizing your communication and authentication processes, Fyno helps you stay one step ahead of potential threats.

Don't let MFA Fatigue Attacks catch you off guard. Explore how Fyno can help strengthen your defenses and streamline your authentication processes.

Contact us today to learn more about our security solutions and how we can tailor them to your specific needs.

INSIGHTS
COMMUNICATION EXPERIENCE
CUSTOMER COMMUNICATION

Frequently Asked Questions

What is an MFA fatigue attack?
An MFA fatigue attack is a social engineering tactic where attackers spam repeated MFA prompts—usually push notifications—hoping the user will approve one login request they didn’t initiate. The attacker typically already has the username and password and uses notification overload to pressure a mistake. It exploits user behavior, not a software vulnerability, which is why education and safer MFA methods matter.
Why do MFA fatigue attacks work so often?
They work because push prompts are designed to be quick and convenient. When attackers trigger dozens of prompts, users can get annoyed, distracted, or confused—especially if the prompts arrive during work. Some victims approve a request just to stop the flood. Attackers may also impersonate IT support (as in the Uber example) to add pressure and legitimacy.
What are the most common signs of an MFA fatigue attack?
The clearest signs are (1) frequent authentication requests in a short period, (2) prompts when you didn’t attempt a login, and (3) prompts showing unfamiliar locations or devices. If any of these appear, treat it as an active attack: don’t approve, report immediately, and reset credentials.
What’s the best way to prevent MFA fatigue attacks?
Reduce reliance on simple “Approve/Deny” push notifications and move toward stronger options like authenticator-app TOTP, push with number matching, risk-based step-up authentication, and security keys for high-privilege users. Pair that with strong passwords, least-privilege access, and rate-limits on how many prompts can be triggered in a time window.
Are OTPs safer than push notifications for MFA fatigue?
For fatigue specifically, OTP/TOTP methods are typically harder to exploit because they require active code entry rather than a quick tap. Push approvals are easy to spam, and users can mis-tap. OTPs still require good anti-phishing hygiene, but they reduce the “wear the user down” advantage that push bombing relies on.
What happened in the Uber, MGM/Caesars, and Cisco incidents?
In this guide’s examples: Uber (September 2022) involved repeated MFA prompts and a WhatsApp message impersonating IT support to pressure approval. MGM and Caesars (September 2023) were hit by attacks involving MFA fatigue tactics, causing major disruptions and reported costs ($100M for MGM; $15M ransom for Caesars). Cisco (2022) involved voice phishing plus MFA fatigue to compromise an employee’s account and move within the network.
How can organizations improve security without overwhelming users?
Use fewer, smarter prompts: educate users, promote password managers, limit MFA request frequency, and add context to prompts (device/location). Then reserve high-friction methods—like security keys or additional checks—for high-risk logins. This keeps everyday logins usable while making attacks much harder.
How does Fyno help reduce MFA fatigue risk?
Fyno is described as providing centralized management for OTPs and push-based requests, intelligent routing based on user behavior, analytics for spotting suspicious patterns, and user preference controls for channels and frequency. It also highlights masking/hashing and push token cleanup to reduce exposure and improve security operations.

Join our 2K+ readers

Get one actionable email a week on managing your notification infrastructure – no spam.

Fyno

Fyno is a modern infrastructure for product and engineering teams to build and manage their notification or communications service with minimum effort.

Visit Site

Previous Post

What is SMS authentication and how secure is it?

Next Post

Is it easy to intercept SMS? A complete guide

Like what you're reading?

Join 2K+ subscribers for one actionable weekly email on managing notifications – no spam.