The Human Vulnerability MFA Can't Fix
MFA fatigue — also called push bombing or MFA bombing — is a social engineering attack where adversaries flood a user with authentication prompts until they approve one out of frustration, confusion, or exhaustion. The attacker already has the password. They just need the victim to tap "Approve."
High-profile breaches at Uber, Cisco, and Microsoft have all involved MFA fatigue as the initial access vector. The attack works because it exploits human behavior, not technical flaws — and traditional MFA implementations have no built-in protection against it.
Key Insight
MFA fatigue attacks succeed because they target the user, not the system. Identity-first SOCs must detect the behavioral pattern and contain the account before the user makes a mistake.
How MFA Fatigue Attacks Work
The attack follows a predictable sequence that SOC teams can detect at multiple stages:
1. Credential Theft
Attacker obtains valid username and password via phishing, credential stuffing, or dark web purchase
2. Authentication Attempt
Attacker initiates login, triggering MFA prompt to the legitimate user's device
3. Push Flood
Attacker repeats login attempts rapidly, sending dozens or hundreds of push notifications
4. User Fatigue
Victim approves a prompt to stop the notifications — often late at night or during a busy period
5. Account Takeover
Attacker gains access, establishes persistence, and begins lateral movement
The entire attack can complete in minutes. Response must be faster.
Detection Signals for MFA Fatigue
Identity-first SOCs detect MFA fatigue by correlating multiple signals from authentication logs, MFA provider telemetry, and user behavior analytics.
| Signal | Detection Threshold | Confidence |
|---|---|---|
| Rapid push denials | 3+ denied prompts in 5 minutes | High |
| Push flood volume | 5+ prompts in 10 minutes | High |
| Off-hours authentication | Prompts between 10pm-6am user local time | Medium |
| Unusual source IP/location | Authentication from new geography or ASN | Medium |
| Approval after denials | Approval following 2+ denials in same session | Critical |
| User-reported concern | User contacts IT about unexpected prompts | Critical |
Signal Correlation
Single signals may indicate legitimate user behavior. Combining signals increases confidence:
- Critical:Push flood + unusual IP + approval after denials = Confirmed attack, immediate lockdown
- High:Push flood + off-hours = Likely attack, suspend MFA and investigate
- Medium:Rapid denials alone = Possible attack, monitor and alert user
Instant Containment: The First 60 Seconds
MFA fatigue response must be faster than the user's decision-making. The goal is to break the attack chain before approval — or contain damage immediately if approval occurred.
If Attack is In Progress (No Approval Yet)
Suspend MFA prompts
Temporarily disable push notifications for the targeted account to stop the flood
Block source IP/ASN
Add the attacking IP range to conditional access deny list
Alert the user
Send out-of-band notification (SMS, call, Slack) warning the user not to approve
Notify SOC
Create high-priority incident for immediate analyst review
If Approval Occurred (Account Compromised)
Immediate Actions (Automated)
Revoke all sessions
Terminate every active session for the compromised account immediately
Reset credentials
Force password reset and invalidate existing password
Disable MFA device
Remove the potentially compromised authenticator from the account
Block sign-ins
Temporarily disable the account pending investigation
Preserve evidence
Capture authentication logs, session data, and MFA telemetry
Post-Incident Investigation Checklist
After containment, investigate to determine blast radius and identify persistence mechanisms.
Review session activity
What actions occurred after the approved MFA prompt? Look for mailbox access, file downloads, OAuth grants.
Check for persistence
Did the attacker register new MFA devices, create mail rules, or add OAuth apps?
Identify credential source
How did the attacker obtain the password? Phishing, credential stuffing, or dark web leak?
Assess lateral movement
Did the attacker access other accounts, shared mailboxes, or sensitive resources?
Review similar accounts
Are other accounts showing early-stage MFA fatigue signals?
Identity Hardening: Preventing Future Attacks
MFA fatigue attacks succeed because basic push MFA has no defense against approval coercion. Hardening the identity layer eliminates the vulnerability.
| Hardening Step | Impact | Priority |
|---|---|---|
| Enable number matching | User must enter a number from the login screen — eliminates blind approvals | Critical |
| Require phishing-resistant MFA | FIDO2/WebAuthn keys cannot be approved remotely — attack becomes impossible | Critical |
| Set push rate limits | Limit prompts to 3 per 15 minutes — prevents flooding | High |
| Enable location context | Show IP/location in push prompt — user can identify suspicious requests | High |
| Implement anomaly-based MFA step-up | Require additional verification for unusual sign-in patterns | High |
| Deploy passwordless authentication | Remove passwords entirely — no credential to steal | Medium |
| Train users on push security | Educate on never approving unexpected prompts | Medium |
The 90% Solution
Enabling number matching alone stops 90%+ of MFA fatigue attacks. Users cannot approve prompts without seeing the login screen — which the attacker controls, not the victim. This single change should be deployed to all users immediately.
Automation Decision Matrix
Not all MFA fatigue response should be fully automated. Use this matrix to determine what runs without human approval.
| Action | Automate? | Rationale |
|---|---|---|
| Suspend MFA prompts (in-progress attack) | Yes | Stops attack immediately, low user impact, easily reversed |
| Alert user via out-of-band channel | Yes | Informational only, no destructive action |
| Block attacking IP | Yes | Targeted, low blast radius, reversible |
| Revoke sessions (confirmed compromise) | Yes | Critical containment, time-sensitive |
| Force password reset | Yes | Standard containment, user can self-service recovery |
| Disable account | Human approval | High impact, may be false positive |
| Remove MFA device | Human approval | Could lock out legitimate user permanently |
| Report to management/legal | Human approval | Requires context and judgment |
Platform-Specific Detection
MFA fatigue signals appear differently depending on your identity provider.
Microsoft Entra ID / Authenticator
- •Sign-in logs with ResultType 50074 (MFA required)
- •Multiple AuthenticationRequirement events
- •Repeated 'StrongAuthenticationRequirementNotSatisfied'
- •Defender for Identity: Suspicious MFA activity alert
Okta
- •system.push.send_factor_verify_push events in rapid succession
- •user.authentication.auth_via_mfa with FAILURE outcomes
- •Push challenge timeouts
- •Okta ThreatInsight: MFA fatigue detection
Duo Security
- •Authentication log: result=FRAUD or result=DENY
- •Multiple push events per user in short window
- •User-reported fraud via Duo Push 'Report Fraud' button
- •Admin logs showing rapid authentication attempts
Google Workspace
- •Login audit: login_failure with 2-step verification
- •Repeated login_challenge events
- •User-reported suspicious activity
- •Workspace Alert Center: Suspicious login activity
Common MFA Fatigue Response Mistakes
Waiting for user to report the attack
Problem: By the time users report, they've often already approved a prompt
Fix: Detect push floods automatically and intervene before approval
Only alerting, not containing
Problem: Alerts without automated action give attackers time to succeed
Fix: Auto-suspend MFA prompts when push flood is detected
Resetting password but not revoking sessions
Problem: Attacker may already have an active session that persists
Fix: Always revoke all sessions as part of containment
Not checking for persistence after approval
Problem: Attackers register new MFA devices and OAuth apps within minutes
Fix: Audit registered devices, mail rules, and OAuth grants post-incident
Relying on user training alone
Problem: Fatigue attacks specifically exploit moments when users aren't thinking clearly
Fix: Implement technical controls (number matching, rate limits) that don't rely on user judgment
Key Takeaways
- MFA fatigue attacks exploit human behavior — response must be faster than user decision-making
- Detect push floods automatically and suspend MFA prompts before approval occurs
- If approval occurred, immediately revoke sessions, reset credentials, and check for persistence
- Enable number matching immediately — it stops 90%+ of attacks with zero user friction
- Long-term: migrate to phishing-resistant MFA (FIDO2/WebAuthn) to eliminate the vulnerability entirely
Stop MFA Fatigue Attacks Before They Succeed
BitLyft AIR® detects push bombing in real time and automatically suspends MFA prompts before users can approve. See how identity-first automation protects your organization.
See a Live Demo