How to Detect & Prevent MFA Prompt Fatigue Attacks

Zero Trust security models call for the use of multi-factor authentication (MFA) to ensure only authorized users may access protected IT resources. Many organizations are adopting MFA to add a layer of security for remote workers. Customer-facing organizations are also implementing MFA to mitigate identity-based attacks, such as phishing, and to help quash the rise in account takeover fraud.

Year after year, the leading cause of breaches has been compromised credentials—in other words, the use of stolen passwords. MFA renders the use of stolen credentials futile, as attackers are highly unlikely to have access to a user's other authentication factors, such as a mobile phone.

Industry research consistently shows that using MFA can stop the vast majority of password-related attacks within an enterprise, so an increasing number of enterprises have begun to require MFA before granting account access. That's the good news.

The bad news is that attackers are now evolving their tactics for bypassing MFA, and are finding some success.

Many organizations encourage using MFA for threat protection, but relying on users to approve authentication requests manually is now riskier than ever due to tactics such as MFA bombing.

MFA bombing is a social engineering technique where an attacker floods a user's authentication app with push notifications until the user approves one out of annoyance or confusion. The same behavior is often described as an MFA fatigue attack, and bad actors commonly use it to commit account takeover. Sometimes called MFA flooding, push bombing, or MFA spamming, this tactic exploits human psychology rather than technical weaknesses in the encryption or protocol itself.

The attack relies on a simple premise: if a user receives enough prompts, they may eventually hit "Approve" just to make the notifications stop. Once they do, the attacker gains access to the account using the valid credentials they previously compromised.

These attacks follow a predictable sequence that turns a security feature into a vulnerability. Understanding each step helps security teams identify where to intervene.

1. Initial Credential Compromise: The attacker obtains a username and password through phishing, a data breach, or credential stuffing.

2. Attacker Attempts Login: The bad actor enters the stolen credentials into a service protected by push-based MFA.

3. Repeated Authentication Requests: The attacker triggers the login process repeatedly. This can be done manually or via automated scripts that send prompts every few seconds.

4. User Fatigue and Frustration: The victim's phone buzzes incessantly. They may be sleeping, in a meeting, or simply distracted.

5. Accidental Approval: Overwhelmed by the noise, the user approves a request to silence the device or because they assume it is a glitch.

6. Attacker Gains Access: With the challenge satisfied, the attacker enters the system to move laterally or exfiltrate data.

Prompt bombing succeeds because it weaponizes the user's trust in the authentication system. Users are conditioned to believe that a prompt on their phone is a standard part of the login process. When combined with decision fatigue and the desire to stop annoying interruptions, this trust becomes a liability.

Unlike sophisticated technical exploits, these attacks require minimal resources. Attackers do not need to bypass encryption or exploit software bugs. They simply need persistence and a set of stolen credentials.

Early detection is critical to stopping these attacks before a user succumbs to the pressure. Here's what to look for, whether you're on the security team or an end user.

For Security Teams:

• Monitor Prompt Frequency: Alert on more than three authentication attempts in a short timeframe for a single user.

• Track Failed Patterns: Look for multiple denials followed soon by a successful approval.

• Analyze Anomalies: Flag logins from new devices or unusual locations that coincide with high-volume authentication requests.

For Users:

• Unexpected Prompts: Be wary of requests when you are not actively logging in.

• Repetitive Notifications: Multiple prompts in rapid succession are a clear sign of an attack.

• Odd Timing: Requests arriving in the middle of the night can indicate an attacker in a different time zone.

Preventing these incidents requires a layered defense strategy. No single control eliminates risk entirely, but combining multiple methods significantly reduces the attack surface. The following approaches range from simple configuration changes to advanced authentication mechanisms. Organizations should implement as many as feasible based on their risk profile, user population, and technical capabilities.

Limit Authentication Attempts

The easiest option to address MFA bombing is limiting the number of prompts sent to a user within a specific timeframe. Even trained users may approve a push notification after being prompted ten times, so limiting the number of prompts to three to five attempts, for example, can help. Most enterprise MFA solutions include this as a standard configuration option. However, this is a baseline defense and should be paired with other controls.

Add Contextual Information to MFA Prompts

Providing users with authentication request context (such as IP address, device type, browser, location, and timestamp) helps them identify suspicious requests. For instance, seeing a notification flagging a log in from an unfamiliar geographic location reduces blind approval by requiring conscious evaluation.

When the push notification is received, the user can review the contextual authentication information, decide whether it is legitimate, and accept it or reject it.

Require Number Matching Verification

Number matching forces proximity by presenting a two-digit number on the login screen and asking the user to select or enter it in their authentication app. This prevents absent-minded approval because the user must actively engage with both devices.

Leading identity and access management (IAM) providers now offer or mandate number matching because it significantly improves security with only a slight increase in friction.

Leverage Device Trust Signals

Authenticating the device in addition to the user creates a more complete trust picture. Organizations can establish a known device inventory and require MFA only for unknown or noncompliant devices. Advanced threat protection capabilities can assess device posture alongside user credentials. If an unknown device attempts access even after approval, the system can trigger additional verification or block the request entirely.

Use Risk-Based Authentication

Beyond tweaking the settings of MFA prompts, risk-based authentication (RBA) is a more targeted option for dismantling MFA bombing. RBA is adaptive and helps create intelligent access policies based on data inputs and risk signals such as location, device, network, time of day, and user behavior patterns.

When users see prompts less frequently, they pay more attention to each one. For example, if the user attempts to log in from a known device at a known location, the risk of account takeover is low, and no MFA is required. However, if the login attempt is from an unknown device at a location that was never previously used, the risk of fraud is high and requires stronger authentication, perhaps via a QR code. Organizations that leverage RBA through advanced threat protection capabilities have seen significant reductions in unnecessary MFA prompts.

Implement Phishing-Resistant Authentication (FIDO2)

FIDO2 (Fast Identity Online) allows users to authenticate biometrically on security keys or other FIDO-compatible devices. It is considered the gold standard because it can eliminate push notifications entirely by enabling authenticators like Face/TouchID. Instead, users authenticate with a physical security key or biometric scan that cannot be remotely triggered by an attacker.

FIDO2 is resistant to phishing, man-in-the-middle attacks, and prompt flooding. While implementation can involve hardware costs, it is ideal for high-risk users such as executives and IT administrators. Supporting FIDO2 through passwordless authentication and adaptive MFA capabilities is critical to offering an experience that improves usability while strengthening security.

Educate Users on MFA Security

Organizations must put strong security tools in place in order to protect themselves and their users, but user education is another key part of stopping MFA bombing attacks. This notion is particularly true for certain segments of the population like the elderly who might not be as current with modern smartphone technology.

Organizations should educate users on their MFA policies so people know what to expect when they log in to a digital property. Beyond that, teaching users about online fraud techniques like prompt bombing is a great way to spread awareness, while also giving them the tools to protect themselves.