MFA Fatigue Attacks - The New Tactic of Forcing Notification Approval

About 13 min read

MFA fatigue attacks - also known as MFA prompt bombing or push fatigue - have emerged as one of the most effective techniques for bypassing multi-factor authentication. The attacker already possesses the victim's credentials (obtained through phishing, credential stuffing, or dark web purchases) and repeatedly triggers MFA push notifications until the victim approves one out of sheer exhaustion or confusion. Mandiant's 2023 threat report documented that MFA bypass attacks more than doubled year-over-year, with push fatigue being the dominant vector. The 2022 Uber breach demonstrated the devastating real-world impact: a single approved notification gave the Lapsus$ group access to internal systems including Slack, Google Workspace, and source code repositories. This article analyzes the technical mechanics, psychological exploitation, landmark breach cases, and the concrete defenses - from number matching to FIDO2 - that neutralize this attack.

Technical Mechanics of the Attack

MFA fatigue attacks exploit a fundamental design weakness in push notification-based MFA. With traditional push-based MFA, users complete authentication simply by tapping "approve" or "deny" on a smartphone notification. While this design excels in convenience, it provides no means for users to verify the legitimacy of an authentication request. Attackers leverage the fact that each login attempt with stolen credentials triggers a push notification, sending dozens to hundreds of notifications continuously, including during late night and early morning hours.

The typical attack flow proceeds as follows. In phase one, the attacker obtains the target's username and password through phishing, purchasing leaked database credentials, or social engineering. In phase two, automated scripts repeatedly attempt login to the target service. Each attempt generates a push notification, flooding the victim's smartphone with continuous alerts. In phase three, the victim either approves a notification, or the attacker contacts them via WhatsApp or SMS impersonating IT support, saying "please approve to resolve a security issue." In the Uber case, the attacker sent push notifications for over an hour before contacting the victim via WhatsApp, posing as the IT department to encourage approval.

Detailed Analysis of the 2022 Uber Breach

In September 2022, an 18-year-old attacker associated with the Lapsus$ group infiltrated Uber's internal systems. The attack originated from VPN credentials of an Uber external contractor purchased on the dark web. The attacker attempted to log into Uber's VPN using these credentials, but since MFA was enabled, push notifications were sent to the contractor employee's smartphone. The attacker repeatedly attempted login for over an hour, continuously sending a flood of push notifications.

Eventually, the attacker contacted the victim via WhatsApp, impersonating Uber IT support and stating that "the login issue won't be resolved unless you approve the notification." The exhausted victim approved the notification, and the attacker gained VPN access. After connecting to the VPN, the attacker scanned the internal network and discovered a PowerShell script on a network share folder. This script contained hardcoded administrator credentials for Thycotic (a privileged access management tool). Using these credentials, the attacker accessed Uber's Slack, Google Workspace, AWS console, HackerOne bug bounty reports, and source code repositories. The full extent of the damage was severe, with Uber facing SEC reporting obligations and serious brand reputation damage.

The 2022 Cisco Breach and Common Attack Patterns

In May 2022, Cisco also fell victim to an MFA fatigue attack. In this case, the attacker first compromised an employee's personal Google account. Through Chrome browser's password sync feature, Cisco VPN credentials stored in the personal account fell into the attacker's hands. The attacker then repeatedly sent MFA push notifications similar to the Uber case, combined with voice phishing (vishing) impersonating Cisco IT support, to get the victim to approve a notification. Cisco detected the intrusion and successfully contained it, but some internal data was exfiltrated.

What the Uber and Cisco cases share in common is that MFA fatigue attacks are not used in isolation but combined with social engineering. By simultaneously exploiting both technical attack vectors and human psychological weaknesses, the success rate increases dramatically. For this combined attack methodology, our article on social engineering defenses provides additional context.

Why People Approve Notifications - Analyzing Psychological Factors

The success of MFA fatigue attacks depends more on human psychological weaknesses than technical vulnerabilities. The first factor is "notification fatigue." Smartphone users receive an average of over 80 notifications per day, developing a habit of processing notifications without scrutinizing their content. MFA notifications get buried among this flood of alerts. The second factor is the assumption that "I might have triggered this myself." Many users, upon receiving an MFA notification, think "maybe I was trying to log in somewhere" and approve without deep questioning.

The third factor is "impaired judgment from sleep disruption." When attackers send notifications continuously at 2 or 3 AM, sleep-deprived victims approve out of the impulse to "just make it stop." Research shows that decision-making ability during sleep deprivation drops to levels equivalent to intoxication, and attackers deliberately target this physiological weakness. The fourth factor is "obedience to authority." As in the Uber case, when attackers contact victims impersonating IT support, many employees comply without suspicion because "it's an instruction from the IT department." This is the same psychological mechanism demonstrated in Stanley Milgram's obedience experiments.

Push Notifications vs Number Matching vs FIDO2 - Resistance Comparison

Resistance to fatigue attacks varies significantly depending on the MFA implementation method. Traditional push notification-based MFA is most vulnerable to fatigue attacks because authentication completes with a simple "approve" tap. Attackers can send unlimited push notifications as long as they have the credentials. Number matching requires users to enter a 2-digit number displayed on the login screen into their smartphone authenticator app. Even if an attacker sends push notifications, the victim cannot complete authentication without knowing the number displayed on the login screen. This prevents accidental authentication through simple "approve" taps.

FIDO2/WebAuthn-based authentication (hardware security keys and passkeys) has complete resistance to MFA fatigue attacks. In FIDO2 authentication, push notifications do not exist - authentication is initiated only when the user physically touches a security key or performs biometric authentication on their device. Furthermore, authentication requests are cryptographically bound to the service's origin (domain), making authentication via phishing sites impossible. Microsoft enabled number matching by default in the Authenticator app in February 2023 and reported a significant decrease in push fatigue attack reports.

For a deeper understanding of phishing-resistant authentication, our two-factor authentication guide and hardware security key guide cover the technical foundations. The TOTP glossary entry also explains why time-based codes are more resistant than push notifications.

Countermeasures for Organizations and Individuals

The highest priority countermeasure for organizations is migrating from push notification-based MFA to number matching or FIDO2-based authentication. Microsoft Authenticator, Duo Security, and Okta Verify all offer number matching functionality that administrators can enforce as policy. Additionally, organizations should configure alerts for abnormal authentication attempt patterns (large volumes of MFA requests to the same account in a short period) and build a framework for security teams to respond immediately. Implementing rate limiting on MFA requests (e.g., maximum 3 requests per 5 minutes) makes it difficult for attackers to send large volumes of notifications in the first place.

For individual users, the first step is to check the MFA settings of services you use and enable number matching where available. Major services including Microsoft accounts and Google accounts already support number matching. For even stronger protection, consider migrating to passkeys or hardware security keys. Additionally, if you receive an MFA notification you did not initiate, never approve it and immediately change your password. Even if someone contacts you claiming to be IT support, developing the habit of verifying by contacting official support channels yourself is the strongest defense against social engineering.

For comprehensive guidance on transitioning to phishing-resistant authentication, multi-factor authentication resources (Amazon) cover both technical implementation and organizational change management.

Future Outlook - The Arms Race Between MFA Evolution and Attacks

The rise of MFA fatigue attacks is accelerating the evolution of authentication security. Microsoft, Google, and Apple jointly announced passkey promotion in 2022, and the industry-wide transition to authentication that does not rely on push notifications is underway. However, attackers continue to evolve as well. Real-time phishing proxies (EvilProxy, Evilginx, etc.) relay MFA including number matching in real-time to bypass it, and combined with session token theft, completely bypass MFA. Against this attack, FIDO2's origin verification is the only technical countermeasure. Multi-layered defense to prevent authentication "single point of failure" - including zero trust architecture adoption, continuous authentication, and device health checks - will become increasingly important.

Frequently Asked Questions

How can I tell if I'm being targeted by an MFA fatigue attack?

If you receive repeated MFA push notifications when you haven't attempted to log in, you are likely being targeted by an MFA fatigue attack. Multiple notifications in a short period is especially indicative of an attack. In this case, never approve the notification, immediately change your password, and report to your IT department (for organizations) or the service's support team.

Does enabling number matching completely prevent MFA fatigue attacks?

Number matching significantly reduces the success rate of MFA fatigue attacks but is not a complete defense. If attackers use real-time phishing proxies, victims may enter the number on a phishing site. Complete defense requires FIDO2-based authentication (hardware security keys or passkeys). FIDO2 cryptographically verifies the service's origin, making authentication via phishing sites mathematically impossible.

Can MFA fatigue attacks occur with TOTP (time-based one-time passwords)?

No, MFA fatigue attacks do not apply to TOTP. TOTP does not use push notifications - users manually enter a 6-digit code displayed in their authenticator app. Even if an attacker attempts to log in, no notification is sent to the victim's smartphone. However, TOTP is vulnerable to code theft through real-time phishing. The safest option is FIDO2-based authentication.