Multifactor Authentication Fatigue leads to new cyber risks

One of the many ways that people try and secure their data is through Multifactored Authentication. In recent months, hackers have found a way to push people’s tolerance to their limits and use multifactor authentication against those who have set it up.

Multifactor Authentication. (MFA) is the process of using outside apps or technology to be able to log into your various devices and accounts. Things like a passcode sent to your phone, an app that you download or even request a button to press to be let into their accounts. In theory, if it operates correctly, you can control who gets let into your accounts.

Hackers have figured out ways to trick you into giving them MFA prompts in the past. Social engineering can trick people into handing over their MFA codes. This can range from a simple email to tricking your phone. This is why many companies will have a disclaimer that will not ask for certain information to protect themselves from liability.

But now there is a new way to trick people into giving up their access and its thanks to the MFA most sites use. Dubbed MFA fatigue, it comes from the fact that everyone has to put up with it. According to MFA trust, “A multi-factor authentication (MFA) fatigue attack – also known as MFA Bombing or MFA Spamming – is a social engineering cyberattack strategy where attackers repeatedly push second-factor authentication requests to the target victim’s email, phone, or registered devices. The goal is to coerce the victim into confirming their identity via notification, thus authenticating the attackers attempt at entering their account or device.”(1)

In essence, the idea is that hackers get your credentials and then just start sending out MFA requests to your various devices. The idea is they send it so often and under the radar, their target just pushes the button or puts the code in. With a simple act of not caring as a result of multiple pushes, the victim lets hackers into their accounts none the wiser.

Perhaps the most known, and probably the thing that brought this type of hack to light was the breach of Uber’s systems. In September of 2022, Uber was breached, allowing hackers access to a full plethora of customers data. “In the Uber hack, the threat actor used an Uber contractor’s compromised VPN credentials to repeatedly attempt to log in, generating an MFA notification each time.  The adversary even reached out to the contractor on WhatsApp, pretending to be with Uber IT support, to encourage them to accept.  When they finally did, the attacker had access to the Uber VPN and tunneled further into the Uber network to breach critical systems such as the company’s email, cloud storage, and code repository. (2) By using customers lack of care over MFA and manipulated unsuspecting people, hackers were able to weave their way into even the most sophisticated security systems.


Multifactored authentication is a good way to protect your data and control who has access to their data. But hackers are craft and evolved their craft every day. Taking advantage of lack of vigilance and how much people need to use MFA daily, they can trick people into activating their accounts without them aware of anything wrong. TO combat this, one must be aware of when you enter your accounts. If you don’t recognize it, don’t click on it. When there is suspicious activity report it to whoever oversees that account and reset the various passwords associated with it. Don’t fall for social engineering tricks that may compromise your accounts.