MFA Fatigue (or MFA Bombing) is an attack where an adversary with a stolen password repeatedly sends MFA push notifications to a victim, hoping they approve one out of frustration or confusion.
⚙️ How Does It Work?
The attacker enters stolen credentials, triggering a push notification flood. If the victim approves any notification, the attacker gains access. Mitigated by number matching, FIDO2, or rate limiting.
📍 Where Is It Used?
Any organization using push-based MFA without number matching enabled.
💡 Real-World Example
Uber's 2022 breach started with an MFA fatigue attack. The attacker sent repeated push notifications until the victim approved one. Uber subsequently mandated number matching and FIDO2.
🔗 Related Terms
Stay Ahead in Identity Security
Get weekly IAM, PAM & IGA insights via Identity Pulse.
Subscribe to Identity Pulse →