MFA fatigue is real – this is how attackers use it to trick your team
You rely on multi-factor authentication (MFA) every time staff log in with a second step. MFA fatigue, also called MFA bombing, overwhelms users with repeated “Approve this login?” prompts. Users grow tired and they hit approve. That single tap can let an attacker in.
Today we’re going to explain how these attacks work, why they’re so effective, and a brief checklist that you can circulate in your team to stay alert.
What MFA fatigue and MFA bombing really are
MFA fatigue means flooding someone with approval requests. MFA bombing is the tactic: attackers send repeated login attempts to trigger a barrage of notifications, hoping the user gives in. Criminals start with a stolen password, phished or bought, and then use brute force.
One well-known example involved an Uber contractor. The attacker bombarded the contractor with MFA prompts, then posed as Uber’s IT team asking for approval to stop the alerts. It worked. Access granted.
Why it’s so effective
People get tired. When prompts arrive late at night or outside working hours, your team just wants peace and quiet. A single tap feels harmless – that’s the trap. It relies on a very human kind of frustration and speeding through routines.
Even experienced users fall for it which is why it’s so important to be aware and check yourself regularly, even if you believe you’re too tech-savvy to be vulnerable. Habits take over. They hit approve too quickly. Criminals count on this.
The high profile Uber breach didn’t use any high-level exploits. It simply exploited a tired employee.
If you’re using Microsoft 365, you already have access to some decent protections but they need to be set up correctly.
In 2023, Microsoft introduced number matching in the Authenticator app. Instead of tapping approve, users must enter a two-digit code shown on their screen. This helps to further block spam-based attacks.
You can also turn on extra context for prompts, like the sign-in location and app name, giving staff more information to make better decisions.
Make sure your setup includes:
- Number matching
- Context-aware prompts
- Limits on push attempts
- Alerts for failed or unusual logins
Microsoft has shown that these steps dramatically reduce successful MFA fatigue attacks.
What you can do today
Start by checking your MFA settings. Turn on number matching and add prompt context. Set login alerts and restrict approval attempts.
Then brief your team. Tell them not to approve anything they didn’t start. If they’re unsure, they should pause and speak to someone before approving.
MFA fatigue checklist your team can follow
Pin this in the staff room or send it in your team emails.
Every time you get an MFA prompt:
If you didn’t start a login, do nothing.
Seeing too many prompts? Stop and report.
Approval needs a two-digit number? Good.
No number? Deny it.
Still not sure? Talk to your IT support provider before approving.
You may also like: What is MFA?