Back to Blog

MFA Fatigue Attacks: Why Your Security Team is Still Vulnerable

Hummingbird Security November 13, 2025 5 min read
Security MFA Attacks

Multi-factor authentication (MFA) has long been considered a cornerstone of modern security. Yet despite widespread adoption, attackers continue to breach organizations that have MFA deployed. How? Through MFA fatigue attacks.

What is an MFA Fatigue Attack?

MFA fatigue attacks, also known as "push bombing" or "MFA spam attacks," exploit human psychology rather than technical vulnerabilities. Here's how they work:

  1. Initial Compromise: Attacker obtains valid credentials (phishing, credential stuffing, etc.)
  2. Bombardment: Attacker attempts to log in repeatedly, triggering dozens or hundreds of MFA push notifications
  3. Fatigue: User becomes annoyed by constant notifications
  4. Approval: User either accidentally or intentionally approves a request to stop the notifications
  5. Access Granted: Attacker gains access to the account

Real-World Impact

According to Cisco Talos' 2024 Q1 Incident Response report, 25% of all incident response engagements involved MFA fatigue attacks. This isn't a theoretical threat—it's happening right now to organizations of all sizes.

Notable Attacks

  • Uber (2022): Attacker used MFA fatigue to compromise an employee's account, leading to a significant breach
  • Microsoft (2022): DEV-0537 group used MFA fatigue attacks against multiple organizations
  • Okta Incidents: Multiple customer breaches involving MFA fatigue techniques

Why Traditional MFA Isn't Enough

Traditional MFA systems suffer from several weaknesses:

1. No Context Awareness

Push notifications provide no context about:

  • Where the login attempt originated
  • Whether the location makes sense given user's normal patterns
  • Risk level of the request

2. Notification Fatigue

Users receive push notifications for many services throughout the day. One more notification—even a suspicious one—can blend in.

3. No Rate Limiting

Many MFA systems don't limit the number of push notifications that can be sent to a user in a short time period.

4. Limited User Education

Users aren't always trained to:

  • Never approve MFA requests they didn't initiate
  • Report suspicious MFA requests immediately
  • Understand the implications of approving a request

How to Defend Against MFA Fatigue

Immediate Actions

  1. Enable Number Matching
    • Require users to enter a number shown in their authentication app
    • Makes accidental approval much harder
  2. Implement Rate Limiting
    • Limit MFA push notifications per user per time period
    • Block accounts after multiple failed attempts
  3. Add Geolocation Context
    • Show users where the login attempt originated
    • Alert on impossible travel scenarios
  4. User Training
    • Regular security awareness training
    • Simulate MFA fatigue attacks
    • Clear reporting procedures

Advanced Protections

  1. Context-Aware Authentication
    • Analyze device, location, time, and behavior patterns
    • Require step-up authentication for risky requests
    • Block obviously suspicious requests automatically
  2. Hardware Security Keys
    • FIDO2/WebAuthn keys are immune to MFA fatigue
    • Can't be phished or bypassed through fatigue
  3. Continuous Monitoring
    • Alert security teams on multiple MFA denials
    • Monitor for impossible travel
    • Track authentication patterns
  4. Automated Response
    • Automatically block accounts showing MFA fatigue patterns
    • Require security team approval to unblock
    • Contain threats before they spread

The Auth Sentry Approach

At Hummingbird Security, we built Auth Sentry specifically to detect and respond to attacks like MFA fatigue. Our platform:

  • Detects MFA fatigue patterns in real-time across all your identity providers
  • Provides context to security teams about what's happening and why it matters
  • Automatically contains threats by blocking suspicious accounts before damage occurs
  • Reduces alert fatigue by providing vetted, actionable intelligence

Conclusion

MFA fatigue attacks demonstrate that no single security control is sufficient. You need:

  1. Strong authentication (MFA with number matching or hardware keys)
  2. Behavioral analysis (detecting abnormal patterns)
  3. Automated response (containing threats immediately)
  4. User education (training your human firewall)

The organizations that successfully defend against MFA fatigue are those that treat identity security as a system-wide challenge, not a checkbox compliance exercise.

Want to learn how Auth Sentry can protect your organization from MFA fatigue attacks? Request a free trial to see our platform in action.

Questions about this post? Contact us at [email protected]

Ready to Transform Your Identity Security?

Reduce alert fatigue. Get complete investigations. Stop attacks before they progress.

See how Auth Sentry delivers real outcomes for your SOC.

Request Free Trial