Multi-factor authentication (MFA) has been one of the most recommended security measures for the past decade. Security experts, governments, and technology companies have urged users to enable MFA on every account. The logic is simple -- even if an attacker steals your password, they cannot log in without the second factor. But attackers have found a way around this protection that does not require breaking any encryption or stealing any token. They just need you to tap "Approve."
MFA fatigue attacks -- also known as push notification bombing or MFA bombing -- have become one of the fastest-growing attack techniques in 2025 and 2026. According to a May 2026 report by The Hacker News, this method was used in the Cisco breach of 2022 and has since been adopted by ransomware groups, state-sponsored actors, and financially motivated hackers worldwide. Microsoft reported a 78% increase in MFA fatigue attempts against enterprise accounts in the first quarter of 2026 alone.
How MFA Fatigue Attacks Work
The attack begins with stolen credentials. Attackers obtain usernames and passwords from data breaches, dark web marketplaces, or credential stuffing attacks. Once they have valid login details, they repeatedly attempt to sign in to the target account.
Each login attempt triggers a push notification on the victim's phone. The attacker does not send just one request. They send dozens -- sometimes hundreds -- in rapid succession. Notifications arrive at all hours, including the middle of the night, during meetings, and while driving. The goal is to exhaust the victim into tapping "Approve" just to make the alerts stop.
In more sophisticated versions, attackers combine push bombing with vishing (voice phishing). They call the victim pretending to be from the IT department and say something like: "We noticed unusual activity on your account. You should be receiving an authentication prompt -- please approve it so we can verify your identity." This social engineering layer dramatically increases the success rate.
Real-World Impact and Statistics
The consequences of a successful MFA fatigue attack are severe. Once the victim approves the push notification, the attacker gains full access to the account. Security systems typically do not flag this login as suspicious because, from a technical perspective, the authentication was completed correctly.
Research from BeyondTrust shows that 29% of organizations experienced at least one MFA fatigue attack in 2025. The Verizon 2026 Data Breach Investigations Report found that human error -- including approving fraudulent MFA prompts -- contributed to 68% of all data breaches. Enterprise environments using Microsoft 365, VPNs, and cloud identity providers like Okta and Duo are the most common targets.
The technique is particularly dangerous because it requires minimal technical skill. Any attacker who can purchase leaked credentials can launch the attack using freely available tools. This low barrier to entry has made MFA fatigue a favorite among both amateur and professional cybercriminals.
Why Push-Based MFA Is the Weak Link
Not all MFA methods are equally vulnerable. Push-based MFA -- where users simply tap "Approve" or "Deny" on a notification -- provides the least friction for users but also the least resistance against fatigue attacks. The user sees a prompt with minimal context and must make a split-second decision.
Phishing-resistant MFA methods such as FIDO2 hardware keys, passkeys, and number-matching prompts are significantly more secure. Number matching requires the user to enter a specific code displayed on the login screen, making blind approval impossible. FIDO2 keys use cryptographic authentication tied to the specific website, which means they cannot be phished at all.
However, adoption of these stronger methods remains low. A 2026 survey by the FIDO Alliance found that only 23% of enterprises have fully deployed phishing-resistant MFA across their organizations.
How to Protect Yourself
Individuals and organizations can take several steps to defend against MFA fatigue attacks:
- Switch to number-matching MFA. If your provider supports it, enable number matching so you must enter a code rather than just tapping approve.
- Use FIDO2 or passkey authentication. Hardware security keys and device-bound passkeys eliminate push notification attacks entirely.
- Never approve unexpected prompts. If you receive an MFA notification you did not initiate, deny it immediately and change your password.
- Report repeated prompts. Multiple MFA requests in a short period mean someone has your password. Treat this as a security incident.
- Use unique, strong passwords. Since MFA fatigue attacks start with stolen credentials, a unique password for each account reduces your exposure.
- Secure your messaging channels. Attackers often use messaging platforms to coordinate vishing calls and social engineering. Using a secure messaging app with end-to-end encryption like PhizChat ensures your communications cannot be intercepted or used against you during these attacks.
Why Secure Messaging Matters in MFA Defense
MFA fatigue attacks frequently rely on social engineering through messaging and voice channels. Attackers impersonate IT staff, managers, or colleagues through compromised messaging platforms to convince victims to approve fraudulent prompts. When your messaging is not encrypted, attackers can intercept conversations, learn organizational structures, and craft more convincing pretexts.
PhizChat provides end-to-end encryption for all messages, voice calls, and file transfers. This means even if attackers compromise your network, they cannot read your conversations or impersonate your contacts within the platform. PhizChat's verification system also helps confirm the identity of people you communicate with, making social engineering attempts through the platform significantly harder to execute. In a world where MFA alone is no longer enough, securing your communication channels is an essential layer of defense.
Frequently Asked Questions
What is an MFA fatigue attack?
An MFA fatigue attack is a technique where attackers repeatedly send push authentication notifications to a victim's device, hoping they will approve one out of frustration or confusion, granting the attacker access to the account.
Can MFA fatigue attacks bypass end-to-end encryption?
No. MFA fatigue attacks target the authentication process, not encrypted communications. Using a secure messaging app with end-to-end encryption like PhizChat protects your messages regardless of whether your account credentials are compromised elsewhere.
How do I know if I am being targeted by an MFA fatigue attack?
If you receive multiple unexpected MFA push notifications in a short period, especially at unusual hours, you are likely being targeted. Deny all prompts immediately, change your password, and report the incident to your IT team.
What is the most secure type of MFA?
FIDO2 hardware security keys and device-bound passkeys are considered the most secure MFA methods because they are resistant to phishing, push bombing, and social engineering attacks.
Top comments (0)