MFA Prompt Bombing: When Second Factor Authentication Fails

Multi-factor authentication (MFA) was designed to prevent unauthorized access even when passwords are compromised. However, attackers have discovered a simpler approach: instead of stealing the second authentication factor, they manipulate users into voluntarily providing it. This technique, known as MFA prompt bombing, exploits human psychology by overwhelming users with repeated authentication requests until they approve access out of frustration or confusion. The attack bypasses traditional security measures by targeting the user rather than the technology. Organizations relying solely on MFA should implement additional safeguards like notification monitoring and user education to recognize such social engineering tactics. Source: Security Industry Publication.