# MFA Prompt Bombing: Why Your Second Factor Isn't Saving You
Attackers are bypassing multi-factor authentication without stealing credentials or exploiting technical vulnerabilities. Instead, they exploit user behavior through a tactic called MFA prompt bombing, where they flood targets with repeated authentication requests until the victim accepts one out of fatigue or confusion.
The attack works like this. An attacker gains initial access to a user's credentials through phishing, credential stuffing, or data breaches. Rather than attempting to crack the second factor, the attacker triggers continuous MFA push notifications to the victim's phone or authenticator app. After dozens or hundreds of prompts, users experience decision fatigue and accidentally approve a malicious request, or they disable notifications entirely to stop the interruption. Either outcome gives the attacker account access.
This tactic exploits a fundamental assumption in MFA design: that users will carefully evaluate each authentication request. In practice, legitimate users approve dozens of legitimate requests daily across work and personal accounts. The cognitive burden of distinguishing a genuine login from a malicious one degrades quickly when requests arrive in rapid succession.
Organizations using push-based MFA systems face particular risk. Services like Okta, Cisco Duo, and Microsoft Authenticator rely on user judgment to approve or deny requests. Attackers have successfully leveraged this vulnerability against financial institutions, government agencies, and enterprise networks throughout 2023 and 2024.
Technical controls can mitigate the risk. Implementing step-up authentication that requires additional verification for sensitive actions adds friction to malicious attempts. Geolocation checks flag login attempts from unusual locations. Risk-based authentication adjusts requirements based on login patterns. Organizations should enforce passwordless authentication methods like FIDO2 hardware keys, which cannot be fooled by social engineering.
User training remains essential but insufficient alone. Security teams must combine behavior