In this article
October 9, 2025
October 9, 2025

Understanding MFA fatigue attacks: How they work and how to defend against them

Learn how attackers exploit human behavior to bypass multi-factor authentication, and how to stop them.

Maria Paktiti
October 9, 2025

Multi-Factor Authentication (MFA) is one of the most effective security measures to protect against unauthorized access. It adds an additional layer of verification beyond just a password, like an app push notification, one-time code, or biometric check.

However, attackers have evolved. One of the most successful recent tactics used by cybercriminals is the MFA fatigue attack (also known as MFA bombing). This type of social engineering attack takes advantage of human behavior, not technical flaws, to bypass MFA protections.

In this article, we’ll break down what MFA fatigue is, how it works, how it differs from other attacks, and the technical and procedural steps you can take to prevent and detect it.

What is an MFA fatigue attack?

MFA fatigue refers to the deliberate, repeated triggering of authentication requests (usually push notifications) on a legitimate user’s device. The goal is to annoy or exhaust the user until they finally approve one of the requests, granting the attacker access.

The attack leverages a simple human weakness: fatigue and complacency. If a user receives dozens or hundreds of MFA prompts (especially outside of normal work hours) they might assume it's a system glitch and approve it to stop the notifications.

How MFA fatigue works

  1. Credential theft (initial access): The attacker first steals or guesses the victim’s username and password through phishing, brute force, or credential stuffing (using leaked credentials).
  2. Repeated MFA requests: With valid credentials in hand, the attacker attempts to log in repeatedly. Each attempt triggers an MFA push notification to the victim’s phone or app.
  3. User confusion and annoyance: The victim starts receiving a flood of notifications. At first, they ignore them. But over time, frustration sets in.
  4. Accidental or deliberate approval: Eventually, the user approves a request, sometimes thinking it’s a legitimate login attempt, or just to stop the noise.
  5. Account compromise: Once approved, the attacker gains access to the account or system, often leading to lateral movement, data exfiltration, or privilege escalation.

MFA fatigue vs. MFA bombing

These terms are often used interchangeably. Both describe the same core concept: overwhelming a user with MFA prompts to trick them into approving one.

However, MFA bombing” sometimes refers to a more aggressive, targeted version of the attack, where the attacker combines MFA spamming with direct contact, such as phishing messages or phone calls pretending to be IT support (“Hi, this is the IT team—please approve the login we’re testing”).

In short:

  • MFA fatigue: Relies purely on repeated notifications.
  • MFA bombing: May combine push fatigue with social engineering to increase success.

How to protect against MFA fatigue attacks

1. Use number matching for push notifications

Modern MFA systems (like Microsoft Authenticator or Okta Verify) can require users to enter a number shown on the login screen instead of just tapping “Approve.”

This prevents attackers from gaining access through blind approvals, since they don’t see the number shown on the victim’s screen.

2. Limit push notifications and add rate limits

Implement controls to:

  • Restrict the number of MFA requests that can be sent in a short period.
  • Automatically block or suspend accounts with excessive failed MFA attempts.
  • Introduce cooldown periods to prevent continuous spamming.

3. Implement context-aware authentication

Use adaptive MFA that considers factors like:

  • Geolocation (e.g., blocking requests from unusual countries)
  • Device trust (e.g., requiring MFA only from new or unregistered devices)
  • Behavioral baselines (e.g., flagging logins outside normal hours or IP ranges)

This reduces unnecessary MFA prompts and helps detect suspicious activity early.

4. Educate users

Users should be trained to:

  • Never approve an MFA request that they didn’t initiate.
  • Report unexpected MFA prompts immediately to IT/security teams.
  • Recognize that MFA prompts can be part of an attack, not just a technical glitch.

5. Enforce phishing-resistant MFA

Use stronger, phishing-resistant forms of MFA such as:

  • Hardware security keys (FIDO2/WebAuthn)
  • Platform authenticators (Windows Hello, Touch ID)
  • Passkeys

These technologies prevent attackers from triggering remote MFA requests entirely.

Best practices for detecting MFA fatigue attacks

Security monitoring teams should configure alerts for:

  • Multiple MFA requests within short time intervals
  • Repeated MFA denials or cancellations
  • Unusual geographic access patterns
  • MFA approval immediately following a burst of failures

Tools such as SIEM systems (Splunk, Sentinel, Datadog) or Identity Provider logs (Okta, Azure AD) can be used to correlate suspicious MFA activity with authentication attempts.

Adding user behavior analytics (UBA) helps identify deviations, such as approvals made during off-hours or from new devices. You can use a tool like WorkOS Radar, which provides rich visibility into authentication events and anomalies, helping security teams spot the early signs of MFA fatigue attacks and take action before users are overwhelmed.

MFA fatigue and credential theft

MFA fatigue attacks don’t start with MFA; they start with stolen credentials. Without the user’s password, the attacker can’t trigger MFA requests in the first place.

This makes it crucial to pair MFA with:

  • Passwordless authentication (e.g., passkeys or device-bound credentials)
  • Strong password hygiene and credential monitoring
  • Detection of reused or leaked credentials through services like Have I Been Pwned or internal monitoring tools

In practice, MFA fatigue is the second stage of a broader compromise chain, credential theft being the first.

Conclusion

MFA fatigue is a reminder that even the best security controls can be undermined by human factors. Attackers exploit trust, habit, and annoyance rather than technical weaknesses.

Organizations can defend themselves through a combination of technical enforcement, user training, and intelligent monitoring. By adopting number matching, adaptive MFA, and phishing-resistant methods, we can reduce both the attack surface and the likelihood of fatigue-induced approvals.

MFA is still essential, but like every security layer, it must evolve to stay resilient against human-centered attacks.

We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.