MFA Prompt Bombing: Why Your Second Factor Is Failing

Michael Miller · 2026-05-26

Multi-factor authentication (MFA) was supposed to close a critical gap in identity security. It meant that, even if an attacker possessed the account credentials, they couldn't log in without the second factor. While that logic was sound, attackers have now figured out that they don't need to steal the second factor: they just need the user to hand it over. If your workforce authenticates with MFA, you're probably feeling pretty good about your security posture. But here's the thing—attackers have adapted. They're not breaking the encryption or cracking the code. They're using a technique called MFA prompt bombing, and it's scarily effective. ### What Is MFA Prompt Bombing? MFA prompt bombing is when an attacker floods a user with push notifications or approval requests for a second factor. The goal? To annoy or trick the user into approving one. It's like someone knocking on your door 50 times in a row until you just open it without checking who's there. This works because users get tired, distracted, or just want the buzzing to stop. One accidental tap, and the attacker is in. It's not about technical sophistication; it's about exploiting human nature. ### Why Traditional MFA Isn't Enough Anymore You might think your MFA setup is solid. But here's the reality: - Push notifications are convenient, but they're also the main attack vector for prompt bombing. - SMS codes can be intercepted or SIM-swapped. - Hardware tokens are more secure but impractical for large teams. - Biometrics are great, but they don't stop someone from approving a request on your device. The common thread? All these methods rely on the user making the right decision under pressure. And let's be honest, we've all accidentally clicked "Approve" on something. ### How Attackers Execute Prompt Bombing The process is deceptively simple. First, the attacker gets your credentials—maybe from a data breach or phishing email. Then, they try to log in to your account. Your MFA kicks in and sends a push notification to your phone. But instead of giving up, the attacker keeps sending requests. Over and over. Maybe 10 times in a minute. Your phone won't stop buzzing. Eventually, you hit "Approve" just to make it stop. And just like that, the attacker is in. > "The weakest link in security isn't the technology—it's the person holding the phone." ### Real-World Examples This isn't just theory. In 2022, Uber suffered a major breach because an attacker used prompt bombing to trick an employee into approving an MFA request. The same technique has been used against companies like Microsoft and Twilio. These are organizations with top-tier security teams, and they still got hit. ### What You Can Do About It So, what's the fix? You can't just drop MFA—it's still better than nothing. But you need to layer in better protections: - **Use number matching**: Instead of "Approve" or "Deny," require users to type a number displayed on the login screen. This makes it harder to approve blindly. - **Set rate limits**: Limit how many MFA requests can be sent in a short time. This stops the bombardment. - **Educate your team**: Make sure everyone knows about prompt bombing. Tell them never to approve a request they didn't initiate. - **Consider phishing-resistant MFA**: Technologies like FIDO2 or WebAuthn don't rely on push notifications at all. ### The Bottom Line MFA prompt bombing is a wake-up call. It shows that even the best security tools can be undermined by human behavior. The answer isn't to ditch MFA—it's to make it smarter and pair it with solid training. Your second factor isn't saving you if it's just one tap away from being handed over. Protect your team by understanding this threat and building defenses that account for the human factor.