Multi-factor authentication fatigue attack

A multi-factor authentication fatigue attack (also MFA fatigue attack or MFA bombing) is a computer security attack against multi-factor authentication that makes use of social engineering. When MFA applications are configured to send push notifications to end users, an attacker can send a flood of login attempts in the hope that a user will click on accept at least once.

In September 2022 Uber security was breached by a member of Lapsus$ using a multi-factor fatigue attack.

In 2022, Microsoft has deployed a mitigation against MFA fatigue attacks with their authenticator app.

In early 2024, a small percentage of Apple consumers experienced a MFA fatigue attack that was caused by a hacker that bypassed the rate limit and Captcha on Apple’s “Forgot Password” page.