Multi-factor authentication (MFA) is a cyber security tool we recommend using wherever possible. It adds an important layer of protection around your data, systems and accounts.

Like any security measure, MFA works best when you understand how it can be targeted and how to configure it properly. One risk to be aware of is MFA fatigue.

What is MFA Fatigue?

MFA fatigue, also known as MFA push bombing or MFA spamming, is a cyber attack where a criminal repeatedly sends MFA approval requests to a user’s device after obtaining their username and password.

The aim is to overwhelm or confuse the user into selecting “Approve”, giving the attacker access to the account.

How MFA attacks work

1. The setup

The attacker obtains the correct username and password, often through a previous data breach, phishing email or reused password.

2. The spamming

The attacker attempts to log in, triggering an MFA prompt on the user’s device, such as a mobile phone notification asking, “Is this you trying to log in?”

If the user ignores or denies the request, the attacker sends another, then another. In some cases, hundreds of requests can be sent within minutes.

Shared inboxes can increase the risk. If several people have access to the same mailbox, one colleague may approve a request believing it is legitimate. We can recommend safer ways of working that reduce this risk.

3. The breach

The user becomes confused, distracted or worn down and approves one of the requests. The attacker then gains access to the account and potentially the data it contains.

How can I protect data from MFA fatigue?

The best approach is to combine stronger authentication methods with access controls that stop suspicious login attempts before they reach the MFA stage.

Use stronger authentication methods

Some authentication methods are harder for attackers to exploit:

Biometrics

Biometric authentication uses unique physical traits, such as a fingerprint or face scan, to help confirm that the right person is signing in. Although modern AI has made some forms of spoofing more sophisticated, behavioural characteristics and secure device-based checks remain much harder to fake.

Possession factors

Possession factors rely on something the user owns or carries, such as a physical security key, a token connected to a PC, or a code generated by a smartphone authenticator app.

Magic links

A magic link is sent to an approved email address. When the user clicks the link, they are granted access. This can be convenient, but it should still be used carefully, as the security of the email account becomes especially important.

Passkeys

Passkeys remove the need for a password and are resistant to phishing. They use cryptographic authentication linked to a trusted device, often combined with a fingerprint, face scan or device PIN.

Because there is no password to steal and no MFA push notification to approve, passkeys can help remove the attack path used in MFA fatigue.

Use firewall and threat management rules

Firewall and threat management rules can reduce the chance of an attacker reaching the point where they can trigger an MFA request. The aim is to stop the authentication attempt before it reaches the identity provider.

Restrict access by source IP: Only allow authentication from trusted locations, such as corporate offices, company VPN ranges and approved third-party networks.

Use geo or country blocking: Only allow access from approved regions. This is not infallible, as attackers can use VPNs, but it is a useful additional layer that can block many threats from outside the UK. (Read our latest cyber threat report to find out more about where threats originate)

Apply conditional access and network restrictions

Conditional access policies can require users to sign in from trusted networks, approved locations or compliant devices before access is granted.

Firewalls and threat management controls reduce the number of authentication attempts that reach the identity platform. Passkeys remove the password and MFA prompt that cyber criminals can exploit.

Balance security with usability

Finding the right balance between usability and security is important. Some controls may feel like an inconvenience at first, especially when they add extra steps to the login process.

However, the disruption caused by hacked, destroyed or lost data is likely to be far greater than the time taken to access data from the right location or use a stronger form of authentication.

Find out more about secure logins in this article: Passwordless logins explained.