Last Updated: March 2026
Multi-Factor Authentication (MFA) has long been considered one of the most effective security controls for protecting corporate accounts. However, attackers have evolved their tactics to bypass even this protection using a technique known as MFA fatigue attacks, also commonly called MFA bombing or push notification attacks.
Instead of attempting to break MFA directly, attackers exploit human behavior. They repeatedly send authentication prompts to a targeted user until the user eventually approves one—often out of frustration or confusion.
This attack method has become increasingly common in enterprise environments, particularly against Microsoft 365, VPNs, remote desktop gateways, and cloud identity providers.
Several major cyber incidents in recent years—including breaches affecting global corporations—have involved MFA fatigue tactics. Attackers combine credential theft with persistent authentication requests until a user unintentionally grants access.
In this guide, we will explore:
- What MFA fatigue attacks are
- How attackers launch them
- How to detect them in enterprise environments
- Practical security strategies to prevent them
This article focuses on real-world IT defense strategies used by modern security teams.
Quick Fix Summary
If you suspect MFA fatigue attacks in your environment:
- Enable number matching or phishing-resistant MFA
- Monitor repeated MFA push requests in sign-in logs
- Implement Conditional Access risk-based policies
- Configure account lockout after excessive MFA prompts
- Educate users to never approve unexpected MFA requests
Combining technical controls with user awareness dramatically reduces the success of MFA fatigue attacks.
What Is an MFA Fatigue Attack?
An MFA fatigue attack occurs when an attacker continuously attempts to authenticate to a user account using stolen credentials.
Each login attempt triggers an MFA push notification to the legitimate user.
The attacker hopes the user will eventually:
- accidentally approve the request
- approve it to stop the notifications
- assume it is a legitimate login
Once the user approves the request, the attacker gains full access to the account.
How MFA Fatigue Attacks Work
Understanding the attack sequence helps IT teams detect and stop it.
Step 1: Credential Theft
The attacker first obtains a valid username and password using techniques such as:
- phishing campaigns
- credential stuffing
- malware or infostealers
- password reuse from breached sites
Because MFA is enabled, the credentials alone are not enough.
Step 2: Repeated Authentication Attempts
The attacker repeatedly attempts to sign in using the stolen credentials.
Each attempt generates an MFA request sent to the user’s device.
Examples include:
- Microsoft Authenticator push notifications
- Duo push notifications
- Okta verification prompts
Step 3: User Fatigue or Confusion
After receiving dozens of authentication prompts, the user may eventually approve one.
Common reasons include:
- annoyance from repeated prompts
- confusion about system activity
- misunderstanding security notifications
This moment of human error allows the attacker to bypass MFA protection.
Why MFA Fatigue Attacks Are Increasing
Several factors have contributed to the rise of these attacks.
Widespread MFA Adoption
As MFA becomes mandatory in many organizations, attackers have shifted to social engineering techniques rather than technical bypass methods.
Push-Based MFA Is Convenient but Vulnerable
Push notifications are easy for users but introduce risk because approval requires only a single tap.
This convenience is exactly what attackers exploit.
Automated Attack Tools
Modern attack frameworks automate MFA bombardment attempts against identity providers.
These tools can generate hundreds of login attempts per minute, increasing the chances of eventual user approval.
Step-by-Step: How to Detect MFA Fatigue Attacks
Step 1: Review Sign-In Logs
Identity platforms provide logs showing authentication activity.
In Microsoft environments, administrators should review:
Microsoft Entra ID
→ Sign-in Logs
Look for patterns such as:
- repeated login attempts
- multiple MFA prompts
- failed authentication loops
- suspicious geographic login attempts
Step 2: Identify Excessive MFA Requests
A key indicator of MFA fatigue is a high number of authentication prompts within a short time period.
Example pattern:
- 15–30 MFA requests within minutes
- repeated authentication failures
- eventual successful approval
This behavior strongly indicates an MFA bombing attempt.
Step 3: Monitor Risky Sign-Ins
Modern identity platforms analyze login behavior and assign risk levels.
Administrators should monitor:
- unfamiliar login locations
- impossible travel scenarios
- anonymous proxy usage
- high-risk sign-in alerts
Risk-based detection often identifies MFA fatigue attempts before they succeed.
Step 4: Review Conditional Access Logs
Conditional Access policies often trigger when suspicious activity occurs.
Review logs for:
- blocked login attempts
- enforced MFA challenges
- device compliance failures
These logs help security teams reconstruct attack timelines.
How to Prevent MFA Fatigue Attacks
Use Number Matching for MFA
One of the most effective protections is number matching authentication.
Instead of simply approving a push notification, the user must enter a number shown on the login screen.
This prevents attackers from blindly sending push requests.
Microsoft has already made number matching the default in Microsoft Authenticator.
Implement Phishing-Resistant MFA
Stronger authentication methods eliminate push notification abuse.
Examples include:
- FIDO2 security keys
- Windows Hello for Business
- certificate-based authentication
These methods require physical presence or cryptographic validation.
Configure MFA Request Rate Limits
Some identity providers allow administrators to limit authentication attempts.
This prevents attackers from generating hundreds of push notifications.
Example controls include:
- maximum MFA prompts per hour
- temporary account lockouts
- adaptive authentication policies
Enable Risk-Based Conditional Access
Conditional Access policies can block suspicious sign-ins automatically.
Examples include:
- blocking authentication from risky countries
- requiring compliant devices
- requiring stronger authentication for risky users
These controls significantly reduce attack success rates.
Educate Users About MFA Prompts
User awareness remains one of the most important defenses.
Employees should be trained to:
- never approve unexpected MFA requests
- report suspicious authentication prompts
- immediately reset passwords if suspicious activity occurs
Security teams should treat unexpected MFA prompts as potential attack indicators.
Real-World Security Insight
In many enterprise environments, MFA fatigue attacks are discovered only after security teams analyze authentication logs.
Often the attacker already had valid credentials for weeks before launching the MFA bombardment.
This means the real security gap was not MFA itself, but credential compromise that went undetected.
Organizations that combine MFA with:
- identity protection
- risk-based authentication
- device compliance policies
are far more resilient against these attacks.
FAQ
What is an MFA fatigue attack?
An MFA fatigue attack occurs when attackers repeatedly send MFA authentication requests to a user in hopes the user eventually approves one.
Are MFA fatigue attacks common?
Yes. MFA fatigue attacks have increased significantly in recent years as organizations deploy MFA protections.
What is MFA bombing?
MFA bombing is another name for MFA fatigue attacks where attackers send repeated push notifications to overwhelm a user.
How can users recognize an MFA fatigue attack?
Users should suspect an attack if they receive multiple MFA prompts without attempting to sign in themselves.
What is the best protection against MFA fatigue attacks?
Phishing-resistant authentication methods such as FIDO2 security keys or number matching MFA provide the strongest protection.
Conclusion
MFA fatigue attacks demonstrate that cybersecurity threats increasingly target human behavior rather than technical vulnerabilities.
While MFA remains one of the most important security protections available, push-based authentication methods introduce new risks when attackers exploit user fatigue and confusion.
Organizations can defend against these attacks by combining:
- phishing-resistant authentication methods
- Conditional Access policies
- sign-in monitoring and alerts
- user security awareness training
For IT professionals managing cloud identity platforms like Microsoft 365, preventing MFA fatigue attacks requires a layered security approach that combines technology with user education.
When implemented correctly, MFA remains a powerful defense against account compromise and identity-based cyber threats.
Last Updated
Last Updated: March 2026
This article reflects current identity security threats and modern authentication best practices.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.