MFA Prompt Bombing: Why Your Second Factor Isn't Saving You
MFA was supposed to close the credential theft gap. One-time codes, authenticator prompts, security keys — even if an attacker had the password, they couldn't get in without the second factor. That was the theory.
The problem is humans.
Prompt bombing — also called MFA fatigue — doesn't try to steal the second factor. It simply overwhelms the user with authentication requests until they approve one just to make the noise stop. The 2022 Uber breach worked like this. Attackers had contractor credentials and spammed the victim with Microsoft MFA push notifications for over an hour. Eventually they hit approve.
The Russian group NOBELIUM used the same technique against Microsoft 365 accounts last year. After initial credential compromise, they flooded iOS devices running Microsoft Authenticator with authentication prompts until someone clicked through.
The economics are brutal. Attackers need one credential set — through phishing, credential stuffing, or a data breach — then they automate thousands of push notifications. The cost to attackers is essentially zero. The cost to organizations is alert fatigue, help desk tickets, and breaches.
This works because it exploits human psychology, not technical vulnerabilities. Security teams made users the final gatekeeper. Humans are not designed to resist sustained inconvenience. When a phone buzzes constantly, the instinct is to make it stop, not analyze whether each request is legitimate.
Organizations have adapted. Number matching is now standard — the user must enter a code from the login screen into their app. FIDO2 security keys can't be phished and require physical presence. Risk-based authentication only shows prompts for anomalous logins, reducing noise and making suspicious activity visible.
These help, but they're imperfect. Users under pressure still enter numbers without thinking. Security keys require administrative overhead many teams haven't implemented. Risk-based auth depends on profile accuracy.
The uncomfortable truth: MFA was designed for a different threat model. It assumed credential theft was the primary risk and the second factor would be rare enough that users would treat it carefully. Both assumptions collapsed. Credentials are routinely compromised. Automated attack tools generate MFA requests at scale, making prompts a daily annoyance rather than a deliberate security check.
What actually works now is reducing attack surface and assuming compromise. SSO minimizes credential count. Device trust policies only allow access from managed, compliant endpoints. Conditional access blocks logins from impossible travel locations or suspicious IPs before the user sees a prompt. Least-privilege access ensures even a bypassed MFA session grants limited access.
The Uber and Microsoft cases aren't outliers. They're examples of a technique that has become standard because it works. MFA isn't broken, but it is no longer a silver bullet. It is one control in a strategy that must account for the reality that users — and their second factors — can be worn down.