MFA fatigue is an attack tactic that overwhelms a user with repeated authentication prompts in the hope they will eventually approve one. It matters because organizations can deploy MFA broadly and still remain vulnerable if approval-based factors are abused socially.
What is MFA Fatigue?
Also known as MFA bombing or prompt bombing, this tactic usually begins after an attacker already has a valid password and keeps triggering MFA requests until the user accepts one out of confusion, frustration, or mistake. Some attackers also contact the victim directly while the prompts are arriving to increase pressure.
MFA fatigue attacks show that not all MFA methods provide equal resistance to social engineering and repeated login abuse.
Why MFA Fatigue Works
It works when users are overloaded, approval prompts lack useful context, help desk or identity processes are weak, and login attempts are not rate-limited or investigated quickly.
MFA Fatigue vs. Standard Phishing
Standard phishing tries to steal credentials or lure the user into a fake login directly. MFA fatigue typically abuses already-stolen credentials and pushes the user to approve a real login attempt they did not initiate.
Frequently Asked Questions
How can organizations reduce MFA fatigue risk?
Number matching, phishing-resistant MFA, risk-based restrictions, rate limiting, alerting on repeated prompts, and user education about unexpected approvals all help.
Does MFA fatigue mean MFA is useless?
No. MFA remains very valuable, but organizations should favor stronger methods and reduce dependence on weak approval-only flows where possible.
