When Push Comes to Shove! Protect Yourself from MFA Fatigue Attacks

Multi-Factor Authentication (MFA) is one of the best ways to protect your online accounts. It’s a smart idea to make sure it’s turned on for important accounts like your email to better protect yourself and lower your chances of being hacked. MFA adds an extra layer of security by requiring two or more pieces of information to log in, like your password and a push notification sent to your phone. This makes it much harder for hackers to gain access.

However, attackers have found a sneaky new way to get around those push-based notifications: MFA Fatigue Attacks.

What is a MFA Fatigue Attack?

A MFA fatigue attack, also known as MFA bombing or MFA spamming, happens when a hacker bombards or spams you with endless authentication requests (those asking, “Is this you trying to log in?”)

The goal? Push until you crack. The attackers flood you with MFA requests, hoping you’ll eventually hit ‘Approve’ by accident or out of sheer frustration just to stop receiving the notifications. However, the moment you do, they’re in and your account is wide open.

It’s a psychological trick, not a technical hack. It can be effective if you’re not prepared.

Everyone’s At Risk

MFA fatigue attacks don’t just target big companies or VIPs. They can happen to anyone who uses apps with push-based MFA (like Microsoft Authenticator, Duo, or Google prompts).
Hackers often reuse passwords from data breaches to trigger these attacks.

How to Protect Yourself

You don’t need expensive software or a corporate security team to prevent or stay protected from MFA fatigue attacks. Here’s what you can do right now:

1. Never Approve a Login You Didn’t Start – If you get a push notification and you’re not actively logging in, always deny it. Ignore the pressure or urgency. Approving gives full access to your account.

2. Change Your Password Immediately – If you’re getting repeated MFA prompts, your password is probably compromised.

• Change your password immediately.
• Use a unique password you haven’t used elsewhere.
• Consider using a phrase instead of just a word. Make it difficult to guess.

3. Turn Off Push-Based MFA When Possible – Some services let you switch to verification codes (like Google Authenticator or SMS codes) instead of push notifications. Verification codes are harder for attackers to abuse with this tactic.

4. Enable Account Lockout or Alerts – If the app you’re using has a setting to lock out after multiple failed attempts or send security alerts, turn it on. Even free accounts on some platforms offer this feature.

5. Report it to the Service Provider – Many companies have security teams monitoring these attacks.

• Look for a “Report Fraud” or “Report Login Attempt” option in your app.
• Even if you denied the login, it helps them track attackers.

Awareness Is Your Best Defence

The biggest advantage attackers have is catching you off guard.
Just knowing about MFA fatigue attacks makes you less likely to fall for them.

So next time your phone buzzes with a login request you didn’t start, stop, deny, and reset your password.