MFA fatigue

Multi-factor authentication or two-factor authentication can be the cure to data breaches. Even if passwords leak, accounts remain unharmed if perpetrators do not know the secret codes unlocking them. However, hackers hope to jump through any security technique thrown at them. And MFA fatigue represents a way for them to try and beat MFA. 

MFA fatigue attack is one of the current methods used to spam the system with many authentication prompts until access is granted. Companies and individuals with multi-factor authentication need to take the necessary steps to combat this approach. 

Today we’ll introduce MFA fatigue attacks and advise you on protecting yourself from them. 

MFA fatigue attacks explained 

MFA fatigue, MFA bombing, or MFA push spam is a hacking attempt to go through the MFA system and enter user accounts of online services like websites, apps, etc. Most attacks focused on MFA usually revolve around social engineering, man-in-the-middle, or hijacking attacks, but this is a brute force attack. 

Attackers use guessed, leaked, or stolen login credentials to perform credential stuffing. It is a way to bombard the account owner and the MFA system when it provides random passwords or identity verification. The system is flooded with thousands of prompts until it lets up. 

How it works 

Even though this attack might seem like a poor attempt, it can be very effective as more and more services use multi-factor authentication. Most MFA techniques have become routine and contain generic information. 

Many users get annoyed and drained by having to verify their identity daily. MFA fatigue attacks exploit this fact hoping account owners will make costly mistakes. However, even if the user recognizes the fraudulent login prompt, they could provide access to make endless notifications stop. So, the threat has been reported and seems to be as realistic as other well-known attacks. 

This kind of pressure is psychological, and most mobile users will likely give up as they can’t take the endless push notifications. It is especially effective because users have their smartphones available 24/7, so hackers have constant access to the victim. 

How attacks manifest

Hackers first acquire basic login credentials to an account. For example, they could be credentials to an email address or an online account. Cybercriminals use various methods to steal credentials and use leaked passwords from previous attacks on all accounts of a single user. 

They often use phishing attacks to trick people into giving them information voluntarily. Sometimes, they employ thousands of random password combinations until they find the winning combination. Once they’ve gone through the first step, they launch an MFA fatigue attack to spam authentication prompts in hopes of someone making a mistake or succumbing to pressure. 

However, success is only guaranteed if they can force account owners to confirm their identity. Still, these attacks are automated and can be scaled quickly, which means attacks target dozens of people simultaneously and play the numbers game. 

Protecting data and accounts against MFA fatigue attacks

Even though MFA attacks can be tricky, you can reinforce your security against them in several ways. Here’s what you and your employees need to do. 

Reduce the number of required logins 

The more multi-factor authentication requests users must go through, the more likely they will permit an attack without even noticing it. To ensure your employees are on their toes, reduce the number of required logins or consider switching to a solution requiring a single sign-in. On the other hand, you can also use a federated identity system or passwordless authentication

Provide cybersecurity training 

One of the most effective ways to stop MFA fatigue attacks is to educate employees on recognizing and responding to them. Most people recognize when things are wrong, especially when there are so many authentication attempts. 

However, people are often tired or unfocused and do something they usually wouldn’t. Educate employees to recognize these attacks and teach them how to mute requests, so they don’t get hundreds of push notifications. 

Include resilient authentication 

MFA fatigue attacks focus on key weaknesses multi-factor security systems have. To combat these attacks effectively, you can add a time limit between two prompts, which means the attacker can’t spam dozens of prompts in minutes.

On the other hand, it’s also a good idea to limit the number of login attempts. For example, if you limit it to three attempts, all prompts after the third attempt will be blocked. 

It’s also possible to replace the universal confirmation signals with notifications specific to that login attempt. Some providers already use matching numbers where users get a number on their screens and must enter it in the authenticator. 

Use other appropriate security tools 

Data breaches or smaller data leaks can happen due to various dangers. For instance, you might stumble upon a fake website imitating a legitimate service. Unknowingly, you browse its content and might even provide your login credentials to its phony login page. Therefore, it is best to double-check whether the website you visit is legitimate. 

Unsafe HTTP websites could make it easy for hackers to capture specific user details. Thus, one option is to download VPN apps that encrypt your traffic. Then, your data will remain more secure even if you visit an HTTP website. A Virtual Private Network does so by scrambling data with practically unbreakable protocols. Furthermore, traffic will get rerouted through remote servers to avoid exposing your approximate location. 


Hope this post has helped you understand MFA fatigue attacks and how they work. Implement the proper security protocols as soon as possible and avoid potential disasters. Cybersecurity is more critical than ever, especially for companies. 

By Jim O Brien/CEO

CEO and expert in transport and Mobile tech. A fan 20 years, mobile consultant, Nokia Mobile expert, Former Nokia/Microsoft VIP,Multiple forum tech supporter with worldwide top ranking,Working in the background on mobile technology, Weekly radio show, Featured on the RTE consumer show, Cavan TV and on TRT WORLD. Award winning Technology reviewer and blogger. Security and logisitcs Professional.