Article Read Time
MFA prompt bombing is a growing threat, but multifactor authentication remains one of your best defenses. Here is what changed and what to do about it.
In September 2022, a contractor working for Uber got a notification on his phone. Then another. Then another. Forty push notifications in thirty minutes, each one asking him to approve a login he never started. Eventually, worn down and assuming it was a glitch, he tapped “approve.” Within hours, a teenage hacker affiliated with the group Lapsus$ was inside Uber’s network, reading source code and accessing vulnerability reports that had not yet been patched.
That attack has a name now. It is called MFA prompt bombing, sometimes called MFA fatigue. And it is something every small business owner, city clerk, and nonprofit director in the Commonwealth should understand.
First, the Good News: MFA Still Works
At Commonwealth Sentinel, enabling multifactor authentication (a second step beyond your password to prove you are who you say you are) has been one of our top recommendations for years. That has not changed.
The numbers back it up. Microsoft research shows that MFA reduces the risk of a compromised account by more than 99 percent. A 2024 report from the Identity Theft Resource Center found that 94 percent of breached organizations could have avoided the attack if they had simply enabled MFA. Accounts without MFA are the ones getting broken into, over and over again.
If you have MFA enabled, you are already ahead of most people. That part of the advice stands firm.
Now, the MFA Prompt Bombing Problem
Criminals figured out that they do not need to beat MFA. They just need to annoy the person using it.
Here is how it works. An attacker buys or steals your username and password. Maybe it came from a data breach. Maybe it came from a phishing email you clicked six months ago. They try to log in. Your phone buzzes with an approval request. You decline it. They try again. Another buzz. You decline. They try again. And again. And again.
After dozens of notifications, maybe at 11 p.m., when you are trying to sleep, you tap “approve” just to make it stop. That is all it takes.
In some cases, the attacker goes further. During the Uber breach, the attacker messaged the contractor on WhatsApp, posing as a member of Uber’s IT department, and told him to accept the notification. Cisco saw a similar attack the same year: voice phishing calls combined with a flood of push notifications led to a breach by the Yanluowang ransomware group, which claimed to have stolen nearly three gigabytes of data.
These are not small targets. If Uber and Cisco can get caught, a county office running on a tight budget and a skeleton IT staff is not immune.
Why MFA Prompt Bombing Works on Good People
Nobody who falls for this is foolish. The attack works because it exploits something decent in people: the desire to be helpful, the trust that your IT department is who it says it is, and the plain human need to make an annoying thing stop. Criminals count on fatigue, not stupidity.
How to Keep Using MFA and Stay Safe
MFA is still one of your strongest defenses. The answer is not to turn it off. The answer is to use it better. Here is how.
Switch to number matching. Many MFA apps now offer a feature called number matching. Instead of just tapping “approve,” you have to enter the number shown on the login screen. If you are not sitting at that screen, you cannot approve the request. This one change makes prompt bombing almost useless. Microsoft, Okta, and Duo all support it. If your MFA app offers it, turn it on today.
Use a hardware security key if you can. CISA, the federal agency responsible for cyber security guidance, recommends what they call “phishing-resistant MFA.” That means tools like a YubiKey or a FIDO2 security key, a small device you plug into your computer or tap against your phone. No notification to approve. No number to match. The key itself is the proof. It is the strongest option available, and the cost has come down to around $25 per key.
Treat unexpected MFA prompts like a stranger at the door. If your phone buzzes with a login approval you did not start, do not approve it. Not ever. That notification means someone else has your password and is trying to get in right now. Decline it, then change your password immediately.
Be suspicious of follow-up calls or messages. If someone contacts you claiming to be from IT and asks you to approve a notification, verify it through a separate channel. Call your IT contact directly using a number you already have. Do not trust the person who called you.
Report it. If you receive a flood of MFA requests you did not initiate, notify your IT department or managed service provider. If you do not have one, report it to CISA at cisa.gov/report or to the FBI’s Internet Crime Complaint Center at ic3.gov.
The Lock Still Works
MFA prompt bombing is real and getting more common. But the lock still works. Multifactor authentication remains one of the most effective tools for keeping your accounts, data, and organization safe. What has changed is that you need to pay attention when the lock talks to you. If you did not ask it to buzz, someone else did.
That is worth knowing. And it is worth passing along to every person in your office who has a login and a phone.
If your organization could use a second set of eyes on its security practices, we would welcome the chance to sit down with you. Contact us or call us at 502-234-5554. That first conversation costs nothing, and it might be the most useful hour you spend this month.
At Commonwealth Sentinel, we stay focused on cyber security so you can focus on other things!