What is MFA Fatigue?
MFA fatigue (also called push bombing or MFA bombing) exploits human psychology rather than technical vulnerabilities. After obtaining a victim’s username and password through phishing or credential theft, attackers trigger repeated MFA push notifications to the victim’s phone. The barrage may occur at inconvenient times—late at night, early morning, or during meetings—when victims are more likely to approve requests without careful consideration. Some attackers combine push bombing with vishing, calling victims while posing as IT support and instructing them to approve the MFA prompt to “resolve a technical issue.” High-profile breaches at Uber and Cisco involved MFA fatigue attacks. The technique succeeds because it transforms MFA from a security control into an annoyance that users circumvent.
Business Impact
MFA fatigue undermines organizations’ investments in multi-factor authentication, which many security programs treat as definitive account protection. Successful attacks enable account takeover despite MFA implementation, accessing corporate systems, email, and sensitive data. The Uber breach demonstrated how a single compromised account can cascade into broad network access. Organizations must balance MFA security with user experience—overly burdensome authentication frustrates users and increases susceptibility to fatigue attacks. Incident response is complicated because the victim technically approved the access, creating ambiguity in logs and accountability
Allure Security's Approach
Preventing MFA fatigue begins with understanding how attackers obtain credentials that enable these attacks. By monitoring for phishing campaigns targeting your employees, detecting credential exposure on dark web markets, and identifying account takeover attempts, organizations can disrupt the attack chain before MFA fatigue becomes possible. Threat intelligence about tactics targeting your organization informs security awareness training on recognizing and reporting suspicious MFA prompts.