MFA Fatigue: How Push Bombing Attacks Are Bypassing Your Strongest Defense

7/10/20264 min read

Multi-factor authentication has spent years being the security control everyone can agree on. It's cheap, effective against stolen passwords, and easy to roll out. It's also, increasingly, being bypassed not through clever exploitation but through simple persistence. The attack is called push bombing, or MFA fatigue, and it works because it targets a human being at the end of a long day, not a technical vulnerability.

For mid-market companies that rolled MFA out years ago and haven't touched the configuration since, this is one of the more consequential gaps sitting quietly in an otherwise solid security program.

How the Attack Actually Works

The attacker already has a valid username and password, usually from a previous breach, a phishing kit, or credential stuffing against reused passwords. They attempt to log in, which triggers a push notification to the legitimate employee's phone asking them to approve or deny the login. The employee denies it, correctly recognizing they didn't just try to log in.

The attacker tries again. And again. Sometimes dozens of times, often late at night or early in the morning, sometimes paired with a text message or phone call impersonating IT support, explaining that the notifications are part of a system update and asking the employee to simply approve the next one to make them stop. Eventually, tired, annoyed, or convinced by the fake support call, the employee taps approve. The attacker is in, past the control that was supposed to stop exactly this.

Why This Keeps Working

Push-based MFA was designed to be frictionless, and that design goal is precisely what makes it vulnerable to fatigue attacks. A single tap to approve is easy for a legitimate user in a hurry and just as easy for an exhausted user trying to make an annoying notification stop. The control was built to reduce friction for the 99 out of 100 approvals that are legitimate, and that same low friction is what an attacker is counting on for the one that isn't.

SMS-based MFA has a related but distinct weakness: it can be intercepted or redirected through SIM-swapping, and it provides no context about what login attempt is actually being approved. Basic push notifications improve on SMS but still typically show minimal information, often nothing more than "approve or deny," giving the employee almost nothing to evaluate before making a split-second decision.

The Fix Isn't Removing MFA. It's Upgrading It

The answer to push bombing isn't abandoning MFA, which remains dramatically more effective than passwords alone. The answer is closing the specific gap that basic push notifications leave open. Number matching, where the employee has to enter a code displayed on the login screen into their authentication app rather than simply tapping approve, eliminates the one-tap fatigue vulnerability directly, since a random notification with no code to match is obviously not a real request.

Rate limiting login attempts and automatically locking an account after a handful of failed or repeated push requests removes the attacker's ability to send dozens of notifications in the first place. And for the accounts that matter most, admin credentials, finance systems, and anything with access to sensitive client data, phishing-resistant authentication using FIDO2 security keys or platform passkeys removes push-based approval from the equation entirely, since there's no notification to bomb in the first place.

Conditional access policies add another layer worth reviewing: flagging or blocking login attempts from unfamiliar countries, unusual devices, or impossible-travel patterns before the MFA prompt is even sent. A login attempt that never reaches the employee's phone is one that can't be approved by mistake, regardless of how convincing the follow-up phone call might be.

The Human Layer Still Matters

Technology closes most of the gap, but the fake IT support call is a social engineering problem no authentication protocol fully solves on its own. Employees need to know, clearly and repeatedly, that IT will never call and ask them to approve a push notification to make it stop, and that a flood of unexpected MFA prompts should be reported immediately, not silenced. A short, specific training moment about this exact scenario tends to stick far better than a generic annual security awareness module, because it describes something an employee can immediately picture happening to them.

Running a brief, unannounced tabletop exercise, walking a handful of employees through exactly what a push bombing attempt looks and feels like, tends to be far more effective than a written policy alone, since it gives people a concrete memory to draw on instead of an abstract instruction they've never actually pictured playing out.

What a Mid-Market Security Review Should Check

Companies relying on basic push MFA without number matching are running a control that looked strong two years ago and has a known, actively exploited gap today. A focused review of current MFA configuration, prioritized rollout of number matching or phishing-resistant methods for high-value accounts, and a rate-limiting policy on repeated authentication attempts closes most of this exposure without a significant new investment. This is the kind of gap that shows up in a security operations review far more often than most mid-market leadership teams expect, precisely because the control was set up correctly once and never revisited as the attack techniques around it evolved.

Most identity providers already include number matching and rate limiting as configuration options rather than paid add-ons, which means the fix for a large share of mid-market companies is a settings change and a short rollout communication to employees, not a new procurement cycle. The gap isn't a lack of available tools. It's that basic push MFA was configured once, worked well enough that no one revisited it, and the attack techniques targeting it evolved while the configuration stood still.

The Broader Pattern Worth Remembering

Push bombing is a useful reminder that security controls age even when the underlying technology doesn't change. MFA is still dramatically better than passwords alone, and nothing here argues otherwise. But every control has an assumption baked into its original design, and attackers eventually find and target that assumption directly. The companies that stay ahead of this pattern aren't the ones that set up MFA once and considered the problem solved. They're the ones that revisit their security configuration on a regular cycle, specifically looking for the gap between what a control was designed to stop and what it's actually being asked to stop today.


Sigma Technology Consulting, Inc.

25 Years of Experience, Vetting & Procuring Technology Vendors

Contact Us

Support

© 2026. All rights reserved.