Usherwood Blog | Usherwood Office Technology

What is MFA Prompt Bombing and How Does it Work?

Written by Libby King | Jun 12, 2026 7:32:58 PM

In Short:

  • MFA prompt bombing is when attackers spam login requests until a user clicks “approve,” often just to stop the notifications or by accident
  • It works because attackers target human behavior, not the MFA technology itself
  • Even strong systems can fail when humans feel overwhelmed or distracted
  • The best defense is moving beyond simple push approvals to more secure methods like passkeys or number matching
  •  

The Future of MFA

For years, businesses were told that multi-factor authentication (MFA) was the solution to account security. Even if someone stole your credentials, they wouldn’t be able to log in without that second step, usually a push notification on a phone.

MFA seems like the perfect solution to credential breaches. Today, attackers have found a way around it. Instead of breaking the technology, they target the person behind it.

This method known as MFA prompt bombing or an MFA fatigue attack has become one of the most effective ways to bypass modern security controls. To learn more about other MFA scams read here.

What Is MFA Prompt Bombing?

MFA prompt bombing is when an attacker repeatedly sends login approval requests to a user until they finally click “approve.”

  • Multi-Factor Authentication (MFA):
    A security method that requires more than just a password, typically a second step like a code sent to an email or phone number.
  • Push notification: A pop-up alert on your phone asking you to approve or deny a login attempt.

MFA typically asks: “Are you trying to sign in? Approve or deny.”

MFA providers like DUO or Authenticator apps are typically very secure so rather than hacking into the system, attackers they rely on persistence and psychology. They overwhelm users with repeated notifications until the easiest option feels like making the alerts stop.

How MFA Bombing Attacks Work

Step-by-step:

Step 1: The attacker obtains a password
Often from a data breach, reused credentials, or phishing

Step 2: They attempt to log in
This triggers the MFA process

Step 3: The user receives a push notification
Asking them to approve or deny the login
They deny since its not them

Step 4: The attacker repeats the login request

Again and again, sometimes dozens of times

Step 5: Eventually, the user clicks “approve”

Often just to make the notifications stop or by accident

Step 6: In some cases, attackers take it a step further by combining this with vishing (voice phishing):

They call the user pretending to be IT support. They say something like: “We’re seeing an issue with your account, can you approve the notification?”
  •  

Because the request feels routine, many users comply.

Why MFA Platforms Struggle to Stop This

Unfortunately MFA systems cant stop the push notifications just yet because:

1. It relies on human decisions

MFA assumes the user can answer the is this you question without them flagging it as suspicious. But in reality, humans make mistake sometimes they are:

  • Busy and distracted
  • Used to frequent login prompts
  • More focused on getting work done than analyzing alerts

Many assume repeated prompts are just a system glitch, not an attack.

2. Push notifications lack context

Most MFA notifications provide limited information, such as:

  • No clear device details
  • Little or no location context
  • Minimal explanation of what’s happening

3. Repetition creates fatigue

When notifications appear repeatedly:

  • They become background noise
  • Users stop evaluating them carefully
  • The goal shifts from security to stopping the interruption

4. MFA can’t prevent social engineering

If a user approves the request even accidentally the system:

  • Treats the login as legitimate
  • Grants the attacker full access

From a technical standpoint, everything looks normal.

Real-World Example: The Cisco Breach

In 2022, attackers targeted a Cisco employee:

  • The employee’s credentials were exposed via a compromised personal account
  • Attackers began sending repeated MFA push notifications
  • When that didn’t work, they escalated to phone calls posing as IT support
  • Eventually, the employee approved a request and got hacked putting their company at risk.

What happened next:

  • The attacker gained VPN access
  • Enrolled their own devices for persistence
  • Accessed internal systems, including critical infrastructure
  • Exfiltrated approximately 2.8GB of data

Common Misconceptions About MFA Prompt Bombing


Let’s clear up a few common misunderstandings:

  • “MFA is broken” Not exactly. The issue is usually how it’s implemented, not the concept itself.
  • “This only affects small companies” False. Large, security-mature organizations have been impacted
  • “User training is enough” Not realistically. People make mistakes—especially under pressure
  • “Number matching solves everything” It helps, but isn’t perfect. Sophisticated phishing can still trick users

How to Prevent MFA Prompt Bombing

The good news: there are practical ways to reduce risk.

1. Use stronger MFA methods

Consider switching from simple push approvals MFAs to:

  • Number matching
  • Authenticator app codes
  • Hardware keys
  • Passkeys

Why it works:
These methods require active user input, not just tapping “approve.”

2. Block compromised passwords

Practice good password posture and use tools that:

  • Identify passwords exposed in breaches
  • Force users to reset them immediately

MFA prompt bombing usually starts with a stolen password, avoid this attack method all together by creating a strong password no one can guess. TO learn more about strong passwords read here.

3. Lock accounts after suspicious activity

For example:

  • Too many MFA requests will temporarily disable the account

This stops attackers before they can succeed.

4. Report it to your Security Department Immediately

If you do notice an abundance of MFA requests do not touch anything and report it to your IT department, so they can further assess the situation. 

MFA is still Necessary, But It Needs to Evolve

Multi-factor authentication is still a critical layer of security. But not all MFA is created equal. When systems rely too heavily on users making the right decision they become vulnerable.

Security fails when it depends on tired, distracted humans. Now is the time for organizations to:

  • Reevaluate their MFA approach
  • Reduce unnecessary friction
  • Adopt more phishing-resistant methods
Usherwood Office Technology offers cybersecurity services designed to help protect your organization from MFA fatigue attacks, phishing, and other modern threats. To learn more, fill out a tech evaluation or connect with a specialist using the chat icon.
 

FAQ: MFA Attacks

1. What is MFA fatigue?

It’s when users become desensitized to repeated authentication prompts and start approving them automatically.

2. Is MFA still secure?

Yes, but weaker methods like push notifications are more vulnerable to social engineering.

3. What’s better than push-based authentication?

Passkeys, hardware security keys, and number code matching are more secure alternatives.

4. Can MFA be hacked?

Not directly, but attackers can manipulate users into bypassing it.
View full post