2FA7 min readJune 23, 2026

MFA Fatigue Attacks: How Push Notification Abuse Bypasses Two-Factor Authentication

MFA fatigue attacks have successfully bypassed two-factor authentication at Uber, Microsoft, and Cisco. Here's how the attack works and how to make your accounts immune to it.

What Is an MFA Fatigue Attack?

An MFA fatigue attack (also called MFA bombing or push notification spam) is a social engineering technique that exploits the convenience of push-notification-based two-factor authentication. The attacker already has your username and password — obtained through phishing, purchase from a dark web market, or a prior data breach. They can't get past your push-based 2FA without your approval, so they repeatedly send authentication requests to your phone, hoping you'll eventually tap "Approve" just to make the notifications stop.

These attacks have successfully bypassed 2FA at some of the most security-aware organizations in the world. In 2022, Uber suffered a significant breach after an attacker used MFA fatigue — reportedly sending continuous push requests to an employee over several hours, then messaging them on WhatsApp impersonating Uber IT and claiming the pushes would stop once they approved one. The employee approved. The attacker gained full network access.

Similar techniques were used in attacks against Microsoft employees and in the Cisco breach. If sophisticated corporate security teams are vulnerable, individual users are too.

How MFA Fatigue Attacks Work Step by Step

Understanding the attack mechanics makes the defense obvious:

  1. Credential acquisition: The attacker obtains your username and password — from a phishing attack, a credential stuffing campaign using breached data, or direct purchase on the dark web. Use our password generator to create credentials that can't be guessed, and a password manager to eliminate reuse.
  2. Authentication attempt spam: Using your credentials, the attacker repeatedly triggers the MFA push notification — sometimes dozens or hundreds of times over hours, in the middle of the night, or during a high-stress work period when you're least attentive.
  3. Social engineering layer: The more sophisticated attacks add a social engineering component. The attacker contacts the victim by phone, email, or text impersonating IT support, explains that there's a "system issue" requiring them to approve the login, and guides them toward tapping Approve.
  4. Access gained: The moment the victim taps Approve — whether from fatigue, confusion, or the social engineering component — the attacker's session is authenticated. They're now inside the account.

The attack succeeds because it doesn't try to break 2FA technically — it manipulates the human into completing the authentication step for the attacker. No cryptographic weakness is exploited. The system worked exactly as designed; the human was the vulnerability.

Which 2FA Methods Are Vulnerable

MFA fatigue attacks specifically target push-notification-based 2FA — the type where you receive a notification on your phone asking "Was this you? Approve / Deny." This is common in enterprise systems using Microsoft Authenticator, Duo Security, Okta Verify, and similar corporate authentication platforms.

Methods that are vulnerable to MFA fatigue:

  • Microsoft Authenticator push approval (without number matching)
  • Duo Security push (without additional verification)
  • Okta push notifications
  • Any other "one-tap approve" push-based authentication

Methods that are not vulnerable to MFA fatigue:

  • TOTP authenticator apps (Google Authenticator, Authy) — require actively reading and typing a time-limited code, not a passive approval. No code = no access. Attackers can't spam a code request.
  • Hardware security keys (YubiKey, Google Titan) — require physical possession of the key and a deliberate action (touch the key). Immune to both MFA fatigue and phishing. See our YubiKey setup guide for how to configure one.
  • Passkeys — cryptographically bound to the specific legitimate domain. Immune to phishing and MFA fatigue. See our guide on passkeys explained for how they work.
  • Number-matching push — an improved form of push authentication that requires typing a number shown on the login screen into the authenticator app. Breaks the passive one-tap model and restores active participation. Microsoft Authenticator and Duo both support this.

Real-World Examples of MFA Fatigue Attacks

Uber (2022): A threat actor affiliated with Lapsus$ used social engineering and MFA fatigue to breach Uber's internal systems. After the victim approved a push request, the attacker accessed Uber's VPN and internal tools, including AWS, Google Workspace, and Slack. The breach was attributed to a contractor whose credentials were purchased from dark web markets.

Microsoft (2022): Lapsus$ used similar techniques against Microsoft, gaining access to source code repositories. Microsoft subsequently published detailed guidance on MFA fatigue defense and has since deployed number-matching as the default for Authenticator push notifications.

Cisco (2022): The Yanluowang ransomware group breached Cisco through a combination of credential theft, voice phishing, and MFA fatigue against push-based authentication. Cisco described the attacker as persistent and sophisticated, attempting multiple MFA push notifications over an extended period before succeeding.

These are enterprise-level attacks, but the technique is equally applicable to individual consumer accounts using push-based 2FA on platforms like Coinbase, financial institutions, and any service using app-based push approval.

How to Defend Against MFA Fatigue Attacks

The defenses range from behavioral to technical, and implementing multiple layers is the most resilient approach:

If you receive unexpected MFA push notifications, deny and report them immediately. An authentication request you didn't initiate means someone has your credentials. Tap Deny, then immediately change your password on that service to a new unique password — use our password generator for a truly random one. A password manager like NordPass makes it easy to store and autofill the new unique credential.

Switch to TOTP authenticator apps for high-value accounts. For your email, financial accounts, and primary cloud storage (Google, iCloud, Dropbox), use a TOTP app like Google Authenticator or Authy instead of push-based 2FA. TOTP codes must be actively read and typed — there's no passive approval to spam. Our two-factor authentication guide covers setup for major platforms.

Use a hardware security key for critical accounts. Hardware keys like YubiKey are immune to both MFA fatigue and phishing. They require physical possession and a deliberate touch. For email, financial accounts, and anything involving sensitive personal data, a hardware key is the strongest authentication you can add. At $25–$65, it's among the highest-value security investments you can make.

Enable number matching if you must use push 2FA. Microsoft Authenticator, Duo, and Okta all support number-matching — when you receive a push notification, you must type a number shown on the login screen into the app before approving. This breaks the passive "tap Approve" model and makes fatigue attacks far less effective, since the attacker can't just spam requests hoping you'll tap blindly.

Check if your credentials are in breach databases. MFA fatigue only works if the attacker already has your password. Services like NordProtect monitor the dark web continuously and alert you when your email or credentials appear in breach databases — giving you the opportunity to change affected passwords before attackers use them in an MFA fatigue campaign.

For Organizations: Mitigating MFA Fatigue at Scale

Security teams can reduce organizational exposure to MFA fatigue attacks through several technical and policy controls:

  • Enforce number matching on all push-based MFA. Microsoft Authenticator has had number matching enabled by default since May 2023. If your organization uses Duo or Okta, configure number matching (or "verified push") as a mandatory requirement.
  • Implement FIDO2/WebAuthn authentication. Hardware keys and platform authenticators (Windows Hello, Touch ID, Face ID) registered via WebAuthn are phishing-resistant and immune to MFA fatigue. Rolling out FIDO2 for privileged accounts is a high-priority security improvement.
  • Set anomaly thresholds that flag repeated push denials. Multiple denied MFA requests in a short window should trigger an account lockout and security team alert. The Uber attacker succeeded partly because repeated push attempts didn't automatically raise an alert.
  • Train users to deny and report unexpected pushes. The most important behavioral control: employees must understand that an unexpected push notification means someone has their credentials, and the correct response is deny-and-report, not approve.
  • Reduce the attack surface via breached password screening. Integrating Have I Been Pwned's API into your identity platform to reject known-breached passwords reduces the pool of credentials available for MFA fatigue attacks at the entry point.

The Bigger Picture: Building Phishing-Resistant Authentication

MFA fatigue is one variant of a broader category of attacks that exploit the human approval step in authentication. The arms race between attackers and defenders is steadily moving toward authentication methods that don't have a human approval step at all — passkeys, hardware keys, and biometric platform authenticators that are cryptographically bound to the legitimate site and require physical presence.

The practical priority for individuals: use strong, unique passwords (via a password manager like NordPass), add TOTP or hardware key 2FA on your highest-value accounts, monitor your credentials with NordProtect so you know when they appear in breaches, and understand that any unexpected authentication request is a signal that something is wrong — not something to approve to make stop.

Recommended Tools

  • NordPass — Password manager for generating unique passwords that eliminate credential reuse — the prerequisite for any MFA fatigue attack.
  • NordProtect — Dark web and breach monitoring that alerts you when credentials appear in databases attackers use to launch MFA fatigue campaigns.

For the strongest possible account protection, combine these tools with a hardware security key (our YubiKey setup guide has everything you need) and visit our recommended tools page for the full security stack.

Recommended next step

See recommended security tools

Use the generator for new credentials, then store them in a manager built for long-term password hygiene.

See recommended security tools

Keep Improving Your Account Security

#MFA fatigue#two-factor authentication#push notification attack#account security#phishing-resistant MFA

🔒 Generate a Strong Password Now

Use our free tool to create cryptographically secure passwords for all your accounts.

Try the Password Generator →
Most secure

Open-source password manager trusted by millions. Free forever.

Get Bitwarden Free
Most secure

Open-source password manager trusted by millions. Free forever.

Get Bitwarden Free