In 2025, multifactor authentication (MFA) is standard practice—but attackers have adapted. Instead of bypassing it, they’re burning it out.
Enter: MFA fatigue attacks.
Also known as push bombing, this tactic uses social engineering to exploit human behavior, not technical flaws. And it’s working.
Imagine receiving 10, 20, even 50 login approval requests in a single hour. Annoying, right? That’s the point.
An MFA fatigue attack bombards a user with push notifications from a compromised username/password combo. Eventually, out of frustration or confusion, the victim may approve the login just to make it stop—unknowingly granting access to the attacker.
This tactic gained notoriety after major breaches in 2022–2024, including high-profile compromises in cloud services, fintech, and government systems.
MFA is still critical, but it’s not invulnerable. Fatigue attacks highlight a hard truth in cybersecurity:
If your defense relies solely on people doing the right thing under pressure, it’s not a solid defense.
Attackers today don’t just brute force passwords—they brute force attention spans.
In one of the most publicized MFA fatigue cases, an attacker spammed an Uber employee’s phone with push login requests for over an hour. Eventually, the employee accepted the request—and the attacker gained full access to internal systems.
The attacker didn’t need to crack encryption, exploit a zero-day, or write any malware. They just persisted.
Here’s what individuals and organizations should do to reduce the risk:
Push-based MFA is convenient, but too easy to misuse. Microsoft and others now offer number matching, which requires users to enter a code shown on the login screen—not just tap “approve.” Biometrics and physical tokens (like YubiKeys) also resist fatigue attacks effectively.
Organizations can configure MFA platforms to limit how many push requests a user can receive in a short time. If someone gets 15 requests in 5 minutes, that should trigger an alert, not a bypass.
Users should be trained to recognize this tactic. A simple policy can help:
“If you didn’t try to log in—never approve a request.”
IT teams should also educate employees on how to report suspicious activity quickly.
Security teams should watch for login patterns typical of fatigue attacks—especially repeated MFA requests tied to valid usernames. This is often the first visible sign that credentials have already been compromised.
MFA fatigue reminds us that the weakest point in most systems isn’t the software—it’s the person under pressure. Cybersecurity isn’t just about better tools; it’s about smarter defaults, resilient habits, and fewer chances to make a critical mistake.
Want to stay a step ahead of emerging social engineering tactics?
Follow Stotles.co for weekly deep dives, plain-English explainers, and zero-BS cybersecurity insights.
Â
GOT QUESTIONS? Contact Us - WANT THIS DOMAIN? Click Here
Â
Phishing isn’t just alive—it’s thriving. Despite advancements in spam filters and user education, phishing attacks remain the most common entry point for breaches in 2025. Why? Because they prey on the most unpredictable variable in any system: people. Today’s phishing [...]