MFA bombing: what it is and how to prevent it

MFA Bombing: 3 Technical Security Measures To Prevent It

The number of MFA bombing attacks is rising, and targeted organisations don’t know how to deal with them. Many cyber experts suggest organisations can’t do anything besides educating users and hoping for the best.

We disagree. Organisations should take three concrete technical security measures to protect themselves from MFA fatigue attacks. Let’s discuss them.

What is MFA bombing?

MFA bombing, also known as an MFA fatigue attack, push notification attack, push fatigue attack or MFA prompt bombing, is used to circumvent MFA systems.

It’s a tactic where bad actors trigger and send the user an avalanche of authentication requests sent by push notification. The user then gets overwhelmed by the high number of requests and ends up confirming them, giving the bad actor access to their account.

The attacks accounted for approximately 29% of cyber breaches in 2022 and rose by 33% compared to 2021. Two infamous MFA fatigue attack examples were those performed by Lapsus$ and SolarWinds.

How does MFA bombing work?

How does MFA bombing work?

Many organisations implementing either two-factor or multi-factor authentication do it by keeping the old and merely adding new methods. They maintain their password authentication flow and slap a second factor on it. That second factor usually is either SMS authentication containing OTPs or push notifications requesting users to confirm a login attempt.

The 2FA or MFA with password plus push notification process is straightforward: a user submits their password, which triggers a notification asking them to confirm their login or payment attempt.

Bad actors corrupt this method by first getting a hold of the password, which are easy to come by. There are currently about 12.5 billion passwords that cybercriminals can get their hands on. The hacker uses the password as a 1st factor and triggers a push notification sent to the legitimate user to confirm the authentication attempt.

The cybercriminal then overwhelms the unsuspecting user with push authentication requests until they succumb and approve authentication out of fatigue, giving the hacker access to the targeted account. MFA fatigue attacks have a 3% success rate, but cybercriminals deploy it massively, making their impact significant.

What is mfa bombing? what technological measures can you take to prevent it from happening?

What can organisations do about it?

Not much, according to many cyber experts. They suggest that organisations can’t do anything besides educate their users. And while raising awareness and providing cybersecurity training is important, it comes awfully short. 

Doing away with push notifications as an authentication method isn’t the correct answer either. These next three technological security measures will help you prevent MFA fatigue attacks.

Rate Limiting

The more push authentication requests a bad actor can trigger, the higher the likelihood an MFA fatigue attack will succeed. To combat this, organisations should implement rate limiting to their authentication setup.

Rate limiting puts a cap on the number of push notifications that can be triggered. This eliminates the risk of a user being coerced into accepting an authentication request due to an extremely high number of push notifications.

Device detection

Your authentication setup should be able to detect from which device a push notification is requested. On top of that it should only allow push notification requests coming from a previously used device. This makes it much harder for bad actors to impersonate a user and trigger requests remotely.

Post-rejection request limiting

Post-rejection request limiting forces users to re-authenticate after a first rejected push authentication request. Only then, can a user trigger a second push notification request.

Our mobile passwordless authentication software will compel users to re-authenticate by scanning a QR code with their known device after a rejection. Since the bad actor doesn’t possess the mobile device, the can’t bombard the user with push authentication requests.


MFA prompt bombing is challenging to deal with. They expose legacy MFA systems and are easy to deploy at a mass scale. But with the right mix of user awareness and education and these three critical technical security measures, organisations can mitigate such attacks with greater success and prevent account takeovers.

MFA bombing is only one of the causes of account takeovers. Discover other threats and 7 best practices to protect yourself and your users from account takeovers.

Book your personal demo