Multi-factor authentication (MFA) was designed to make accounts more secure by adding an extra verification step beyond just a password. Even if attackers stole credentials, they were supposed to be stopped by the second authentication factor. But attackers have now found a different approach — instead of stealing the second factor, they trick users into approving it themselves.
This attack technique, commonly called “MFA prompt bombing” or “MFA fatigue,” is becoming a major cybersecurity threat for organizations that rely heavily on push-based authentication systems.
The attack usually starts with stolen credentials obtained from phishing attacks, malware infections, or leaked password databases. Once attackers have valid login details, they repeatedly attempt to log into an account. Every attempt sends an MFA approval notification to the victim’s phone or authentication app.
The goal is simple: overwhelm, confuse, or pressure the user into approving one of the requests.
In many cases, attackers combine the prompts with fake IT support phone calls, pretending to help the employee fix a login issue. Because the login attempts appear legitimate and continuous, some users eventually approve the request without realizing they are giving attackers direct access.
One of the most well-known examples involved Cisco in 2022. Attackers reportedly gained access to an employee’s VPN credentials and repeatedly pushed MFA requests until the employee finally approved one after receiving convincing vishing calls posing as support staff. Once inside, attackers expanded access, moved through internal systems, and exfiltrated sensitive data.
The biggest weakness in push-based MFA is the lack of context. Most approval notifications simply ask users whether they want to approve or deny a login request without clearly explaining where the request originated or whether it was initiated by the user.
Security experts now recommend moving toward phishing-resistant authentication methods such as FIDO2 security keys, hardware tokens, or number-matching authentication apps. Organizations are also being encouraged to block compromised passwords proactively and implement risk-based login monitoring that considers device reputation, location, and suspicious login behavior.
While MFA still remains one of the most important security protections available today, the rise of prompt bombing attacks shows that not all MFA methods provide the same level of protection.
Cybersecurity companies like IntelligenceX continue to emphasize that identity security, password protection, and secure authentication systems are becoming critical priorities as social engineering attacks grow more advanced.
Top comments (0)