Your Phone Buzzes. Then Again. Then Again.
It’s 11 PM on a Tuesday. You’re watching TV, winding down, and your phone starts buzzing with login approval requests. One after another. Microsoft Authenticator, Duo, whatever you use — it just won’t stop.
So you do what any exhausted human would do. You hit Approve just to make it stop.
Congratulations — you just handed a hacker the keys to your business.
This is called an MFA fatigue attack (also known as push bombing or prompt bombing), and it’s one of the most effective tactics cybercriminals are using right now. It doesn’t require sophisticated malware or zero-day exploits. It just requires your password — which was probably already leaked in a data breach — and your frustration.
Wait, I Thought MFA Was Supposed to Protect Me?
It does. Multi-factor authentication is still one of the best security measures any business can implement. But here’s the thing: not all MFA is created equal.
The most common type of MFA — push notifications — works like this:
- You enter your username and password
- Your phone gets a push notification asking you to approve or deny
- You tap Approve, and you’re in
The problem? That approval step is designed for convenience, not verification. The notification doesn’t tell you who is trying to log in or where they are. It just asks: approve or deny?
Hackers figured out that if they already have your password (and billions of stolen credentials are floating around the dark web), they can just trigger that push notification over and over until you cave.
This Isn’t Hypothetical — It’s Happening Right Now
In 2022, a teenager used MFA fatigue to breach Uber’s internal systems. The attacker spammed a contractor’s phone with push notifications for over an hour, then messaged them on WhatsApp pretending to be IT support: “Just approve it and the notifications will stop.”
It worked. The attacker got access to Uber’s internal tools, Slack, and cloud infrastructure.
If it can happen to a $70 billion company, it can absolutely happen to a 15-person accounting firm in Boca Raton.
How to Protect Your Business
1. Switch to Number Matching
Most major authentication apps now support number matching. Instead of just tapping Approve, you’re shown a two-digit number on the login screen and must type it into your phone. If a hacker is triggering the login, they see the number — but you don’t, because you’re not at that screen.
Microsoft Authenticator enabled this by default in 2023. If you’re using Duo or another provider, check your admin settings and turn it on today.
2. Use Hardware Security Keys
A physical security key (like a YubiKey) is the gold standard. You plug it into your computer or tap it on your phone to verify your identity. No push notification, no approval fatigue, no social engineering. A hacker halfway around the world can’t press a physical key that’s on your keychain.
Yes, they cost $25-50 per key. That’s a lot cheaper than a data breach.
3. Set Up Alerts for Denied MFA Attempts
If someone is spamming your MFA, that means they already have your password. Multiple denied MFA attempts should trigger an immediate alert to your IT team or MSP. That password needs to be changed immediately.
4. Train Your Team
Every employee needs to know: if you didn’t just try to log in, NEVER approve the notification. Make it part of your security awareness training. Run simulated MFA fatigue drills just like you’d run phishing simulations.
5. Implement Conditional Access Policies
If you’re on Microsoft 365 Business Premium or similar platforms, set up conditional access policies that block login attempts from unusual locations or devices. If someone is trying to log in from Romania at 3 AM and your entire team is in Palm Beach County, that request should be automatically denied before it ever reaches anyone’s phone.
The Bigger Picture: Passwords Are the Problem
MFA fatigue attacks work because hackers already have your password. And let’s be honest — they probably do. Between LinkedIn, Dropbox, and the dozens of other major breaches over the past decade, most people’s credentials have been exposed at least once.
The long-term fix is passwordless authentication — logging in with biometrics, hardware keys, or passkeys instead of passwords entirely. Microsoft, Google, and Apple are all pushing in this direction, and it’s something every business should be planning for.
But right now, today, the immediate fix is simple: upgrade your MFA method, train your team, and make sure someone is watching for suspicious login activity.
Don’t Let Fatigue Win
The whole point of an MFA fatigue attack is to exploit human nature. We’re tired, we’re busy, and we just want the buzzing to stop. Attackers are counting on that.
The best defense is a combination of better technology (number matching, hardware keys) and better awareness (knowing that random MFA prompts are a red flag, not an annoyance).
If you’re not sure how your business’s MFA is configured — or if you’re still relying on basic push notifications — it’s time for a security checkup. At YourTech, we help South Florida businesses implement MFA the right way, set up conditional access policies, and train teams to recognize attacks before they succeed.
Because the best cybersecurity isn’t just about having the right tools — it’s about using them correctly.