Multifactor authentication (MFA) is considered a solid barrier, but attackers have found a crack: request bombing. This method involves sending dozens of push notifications to the user's mobile phone until, out of frustration or error, they accept one. From foro3d.com we remind you that approving an unexpected request is opening the door to the attacker. Continuous cybersecurity training is the only real defense against this type of fatigue.
How the MFA fatigue attack works 🔐
The attack, known as MFA fatigue or bombing, exploits human psychology more than technology. The attacker, after obtaining access credentials, fires repeated MFA requests from the same session. The user, overwhelmed by constant alerts, may accept one to silence the noise. Systems like Okta or Microsoft have documented cases where 15 minutes of bombing were enough for an employee to give in. The technical solution involves lockout policies after failed attempts and notifications with geographic context.
The click that saves you or sinks you 🎯
Imagine this: you've been trying to log into your account for 20 minutes and suddenly a window appears asking for confirmation. You think: finally it works. And you click. Congratulations, you've just given away your access to a stranger celebrating from their basement. MFA bombing is the digital version of that annoying friend who calls 50 times until you answer. The difference is that here, if you give in, your account ends up in the hands of someone who doesn't want to meet for coffee.