Attackers Are Bypassing Your MFA

Attackers are defeating multi-factor authentication by flooding users with approval requests until one is accepted, bypassing a key security defense.

Multi-factor authentication (MFA) was designed to be a robust defense, protecting accounts even if passwords were compromised. The system works on the principle that an attacker who steals a password still cannot access the second factor, such as a push notification or a code. However, attackers are now exploiting this process by focusing on the human element rather than the technology. After obtaining valid credentials, they initiate repeated login attempts, which floods the legitimate user's device with a constant stream of MFA approval prompts. The strategy doesn't involve hacking the second factor; it relies on overwhelming the user.

This technique, known as MFA fatigue or prompt bombing, is effective because it preys on common user behaviors. A person focused on their work may approve a prompt accidentally, or they may become so inundated with alerts that they approve one simply to stop the notifications. This turns a security feature into a vector for a breach. The vulnerability affects any organization using push-based MFA and highlights that technical controls alone are insufficient. It forces IT and security teams to re-evaluate their authentication strategies and recognize that even widely adopted security measures can be undermined through simple social engineering.

This attack vector bypasses a foundational security control (MFA) by exploiting human behavior rather than technical flaws, forcing companies to rethink their authentication strategies and user training.

Successful MFA fatigue attacks can lead to account takeovers, data breaches, and unauthorized access to sensitive corporate systems. This undermines security investments and increases the risk of significant financial and reputational damage, as it invalidates a widely trusted security measure.