It is 2:17 a.m. Your phone buzzes. A push notification from Microsoft Authenticator: “Are you trying to sign in? Approve / Deny.” You tap Deny and set the phone face-down. Twenty seconds later, it buzzes again. Then again. And again. By the seventh or eighth alert you are half-awake, confused about whether you actually did start a sign-in session earlier that evening — maybe you left a browser tab open? — and by the fifteenth notification you tap Approve just to make it stop.
Congratulations. An attacker who purchased your corporate credentials for twelve dollars on a dark-web forum just walked through the front door of your company’s network.
This is multi-factor authentication fatigue, and it is no longer an exotic edge case. It is now among the most frequently used initial-access techniques recorded in enterprise breach investigations.
What MFA Fatigue Is
Multi-factor authentication was supposed to be the definitive answer to stolen passwords. Even if an attacker obtains a valid username and password — through phishing, a credential dump, or an infostealer — they still cannot log in without the second factor the legitimate user holds.
Push-based MFA exploits one design flaw in that logic: the second factor is approved by a human. And humans are exhaustible.
In a push-bombing attack, the attacker feeds the victim’s valid credentials into an automated login loop. Each failed attempt triggers a new push notification on the victim’s enrolled device. The attacker runs the loop continuously — dozens, sometimes hundreds, of times — across hours, overnight, or during early-morning hours chosen specifically because cognitive resistance is lowest.
The mechanics are straightforward. Attackers obtain credentials from breach databases, phishing kits, or infostealer malware such as RedLine or Raccoon. They then script an authentication loop against the target’s identity provider — Azure AD, Okta, Duo, or any other platform. Every loop iteration generates a new push. Because the authentication request is technically legitimate (real credentials, real endpoint), the identity provider cannot distinguish it from a genuine login.
The social-engineering layer amplifies the mechanical attack. Alongside the notification flood, the attacker contacts the victim via WhatsApp, Signal, LinkedIn, or a spoofed corporate email, posing as IT support: “We are seeing unusual sign-in activity on your account. Please approve the verification prompt so we can investigate and lock the threat actor out.” The victim, now primed by the notification storm and reassured by apparent IT involvement, approves. The attacker is in.
The Uber Hack: A Case Study in Corporate Exposure
The breach of Uber in September 2022 remains the most widely studied example of MFA fatigue at corporate scale. The attacker — later identified as a teenager affiliated with the Lapsus$ hacking collective — purchased the valid VPN credentials of an Uber contractor from a dark-web marketplace.
The contractor’s account was protected by push-based MFA. The attacker initiated repeated authentication attempts, each one generating a push notification on the contractor’s phone. After receiving more than thirty notifications, the contractor stopped denying them. The attacker then contacted the contractor directly via WhatsApp, claiming to be an Uber IT security employee and stating that the notifications would stop once the contractor approved the request.
The contractor approved. The attacker accessed the Uber VPN and, once inside the corporate perimeter, discovered a network share containing PowerShell scripts. Embedded within those scripts were hardcoded administrative credentials for Uber’s Thycotic PAM (privileged access management) system. Those credentials granted access to virtually every internal service: AWS, Google Cloud, Slack, HackerOne, and Uber’s own bug bounty reports — including unpatched vulnerability disclosures.
The entire breach from initial approval to full internal access took under two hours. The cost was not a sophisticated zero-day exploit. It was one tired contractor and one deceptive WhatsApp message.
Uber was not uniquely negligent. The same technique — credential purchase plus push bombing plus social engineering — has been used in documented breaches against Cisco, Twilio, Cloudflare, MGM Resorts, and several unnamed financial institutions. In the Cloudflare incident, the company’s pre-deployment of FIDO2 hardware keys meant the attack failed; the contractor’s approval of the push did not produce valid session access because Cloudflare had already migrated away from push-based MFA for privileged systems.
Why This Works on Humans
Cybersecurity’s most persistent structural problem is that its weakest link is not software — it is the human nervous system operating under time pressure and information overload.
Push notifications generate cognitive debt. Each unresolved alert demands mental attention. When notifications arrive in a torrent, the brain shifts from deliberate evaluation (“Did I initiate a login?”) to pattern-completion heuristics (“These things usually resolve when I tap Approve”). Psychologists call this decision fatigue; security practitioners call it notification blindness. The outcome is the same: a protective action — the Deny tap — is replaced by an action designed to terminate the irritant.
Timing is deliberate. Attackers preferentially launch push-bombing campaigns between midnight and 5 a.m. local time, or during weekends, when victims are sleeping, traveling, or distracted. The approval of a single notification, half-conscious, can open an entire corporate network. The attacker needs only one moment of reduced vigilance across an arbitrarily long campaign.
The social engineering overlay removes the last line of defense: suspicion. A well-scripted IT impersonation call or message reassures the victim that approving the push is the correct security action, inverting the protective reflex. The victim is told that disapproving will allow the attacker in; in reality, approving is exactly what the attacker needs.
Advertisement
The Evolution Beyond Push Bombing
Sophisticated threat actors do not rely on push fatigue alone. Several complementary techniques extend their reach to MFA methods that do not use push notifications at all.
SIM swapping targets SMS-OTP as a second factor. By social-engineering a mobile carrier’s support staff into porting the victim’s phone number to an attacker-controlled SIM, the attacker intercepts all text messages, including one-time passwords. SIM swapping is well-documented in cryptocurrency theft and has been used against high-value targets including corporate executives and government officials.
OTP phishing uses real-time relay. The attacker presents a convincing phishing page that mirrors a legitimate login portal. When the victim enters their credentials, the attacker relays them to the real site in real time and requests a one-time code. The victim receives and enters the OTP on the fake page; the attacker captures it and enters it on the real site before it expires (typically within thirty seconds). Tools such as Evilginx2 and Modlishka automate this relay, proxying the entire authentication session and capturing session cookies that remain valid after authentication completes.
Adversary-in-the-middle (AiTM) proxy attacks represent the highest-sophistication tier. Rather than stealing credentials and OTPs separately, AiTM proxies intercept the full HTTPS session between victim and identity provider, capturing session tokens post-authentication. These tokens bypass MFA entirely because authentication has already occurred. AiTM attacks are increasingly used in business email compromise campaigns, allowing attackers to impersonate executives from within their actual email accounts.
The common thread across all these techniques: they do not break MFA cryptographically. They bypass it by attacking the authentication ceremony — the human moment, the relay window, or the session layer — rather than the cryptographic primitive itself.
Phishing-Resistant MFA: The Only Effective Defense
The term “phishing-resistant MFA” has a precise technical meaning. It refers to authentication methods in which the second factor is cryptographically bound to the specific domain being authenticated and cannot be relayed, replayed, or phished.
FIDO2/WebAuthn hardware security keys — YubiKey, Google Titan, Feitian — generate a challenge-response using an asymmetric key pair stored on the hardware device. The response is cryptographically tied to the origin domain. A phishing proxy cannot relay this response to a different domain; the cryptographic handshake will fail. CISA now formally recommends FIDO2 as the gold standard for phishing-resistant MFA and mandates it for U.S. federal agencies under Binding Operational Directive 22-09.
Passkeys extend FIDO2 to platform authenticators — the biometric sensors built into modern smartphones and laptops. A passkey is a device-bound credential that replaces both the password and the push notification. Because the private key never leaves the device and the credential is domain-bound, passkeys are resistant to phishing, push bombing, and AiTM proxying. Apple, Google, and Microsoft have integrated passkey support into their operating systems and identity platforms.
Number matching is a transitional control for organizations that cannot immediately migrate off push-based MFA. Microsoft Authenticator, Duo, and other platforms now support number-matching prompts: the login page displays a two-digit number, and the user must enter that specific number in the Authenticator app to approve. This eliminates approval-without-context, because a fatigued user cannot simply tap Approve — they must read and transcribe a code, which requires enough wakefulness to recognize an unusual or unexpected prompt.
Context-aware authentication adds behavioral signals — device health posture, geographic location, network characteristics, and time-of-day baselines — to the authentication decision. An approval from a new device in an unexpected country at 3 a.m. triggers step-up authentication or blocks the attempt entirely. Implemented correctly, adaptive MFA creates friction for attackers operating from unfamiliar infrastructure while remaining transparent to legitimate users.
What Organizations Must Do
The security community has reached consensus on the minimum actions required to address MFA fatigue:
Mandate phishing-resistant MFA for all privileged accounts immediately. Administrators, remote-access users, executives, and anyone with access to identity management systems represent the highest-value targets. FIDO2 hardware keys or passkeys should replace push-based MFA for these accounts as a first priority, not a long-term aspiration.
Deploy number matching across all push-based MFA deployments. For the broad employee population not yet migrated to FIDO2, number matching is a low-friction, high-impact control that eliminates blind approval. Most major Authenticator platforms have made it available; many organizations have not yet enabled it.
Implement anomaly detection on authentication patterns. A single account generating thirty failed MFA prompts within one hour is an unambiguous attack signal. Identity platforms and SIEMs should alert on this pattern in real time, triggering automatic account lockout and incident response.
Conduct explicit MFA fatigue training. Most security awareness programs cover phishing email recognition; few explicitly train users to recognize push-bombing attacks and social-engineering accompaniments. Employees need to understand that legitimate IT support will never ask them to approve a push notification and that repeated unexpected prompts mean an attacker has their password.
Adopt zero-trust network access (ZTNA). Even if an attacker bypasses MFA, zero-trust architectures limit blast radius by enforcing least-privilege access, device health checks, and continuous session re-evaluation. The Uber breach was catastrophic partly because VPN access, once granted, provided broad lateral movement capability. ZTNA eliminates the implicit trust that made that movement possible.
MFA is not broken. It remains a critical control. But push-based MFA deployed without complementary controls has a well-documented bypass vector that attackers use at scale. The organizations that treat MFA as a checkbox rather than a layered security posture are the ones whose contractors are approving notifications at 2 a.m.
Frequently Asked Questions
What is mfa fatigue attacks?
MFA Fatigue Attacks: How Hackers Bypassed the Layer Everyone Trusted covers the essential aspects of this topic, examining current trends, key players, and practical implications for professionals and organizations in 2026.
Why does mfa fatigue attacks matter?
This topic matters because it directly impacts how organizations plan their technology strategy, allocate resources, and position themselves in a rapidly evolving landscape. The article provides actionable analysis to help decision-makers navigate these changes.
How does the uber hack: a case study in corporate exposure work?
The article examines this through the lens of the uber hack: a case study in corporate exposure, providing detailed analysis of the mechanisms, trade-offs, and practical implications for stakeholders.
Sources & Further Reading
- CISA — Implementing Phishing-Resistant MFA (Fact Sheet)
- Uber — Security Update on 2022 Breach
- Microsoft Security Blog — Detecting and Containing MFA Fatigue Attacks
- FIDO Alliance — Passkeys: The Passwordless Future
- Verizon — Data Breach Investigations Report (DBIR), Social Engineering Chapter
- Proofpoint — MFA Bypass Techniques and Defenses
