MFA Fatigue

What is an MFA Fatigue Attack? 

A multi-factor authentication (MFA) fatigue attack, other wise known as MFA bombing or MFA spamming, is a social engineering cyberattack strategy being used repeatedly to push second-factor authentication requests to targeted users' email, phone, or registered devices. This activity understandably annoys the user, who may accidentally or from MFA fatigue press accept to stop the prompts. Alternatively, the prompts may confuse the user, who may assume one of the requests is legitimate and approve. As a result of any of these possible scenarios, the user unknowingly grants the malicious user access to their account.

There are many steps that need to occur in order for the attacker to initiate the MFA push notification. The attacks are often preceded with a phishing scam or other form of a social engineering attack to obtain your username and password. Once these credentials are in the malicious user's hands, they have the ability to log-in as you and request push notification such as "click to approve" or "enter your PIN to approve," be sent to your device.

Due to the increasing use of MFA in our daily activities, it is normal to become numb and accidentally click the “Approve.” We want to ensure we are all doing our part in updating credentials, verifying Duo push requests and staying alert. 

Don't fall victim to an MFA fatigue attack

  1. Do not approve any unknown push notifications
  2. Update and change passwords regularly
  3. Report the Phish


For more information visit

Questions or concerns? Contact the UNIT Help Desk at


Print Article


Article ID: 144581
Thu 2/23/23 12:01 PM
Tue 6/4/24 3:24 PM