Network Brainiacs
Tip #44·Passwords & MFA

MFA fatigue attacks.

Attackers with your password just spam your phone with MFA prompts until you approve one out of exhaustion. Number-matching kills it.

MFA fatigue, sometimes called MFA bombing, is a simple attack. An attacker has your password. They log in — which sends you a push notification. You decline. They try again. And again. At 2 AM. For hours. Until eventually, exhausted or hoping it's legitimate, you tap approve. That's the breach.

Why this works on real people

Push-based MFA was designed to be convenient — one tap and you're in. Attackers exploited that convenience. When a user gets 40 push prompts in a row in the middle of the night, even security-conscious people sometimes break. It's the attack that got Uber compromised in 2022. It still works.

Real incidents

A small firm's IT director got 60 push prompts between 1 AM and 3 AM after his password leaked.

Red flag: He eventually tapped approve assuming it was a system glitch. Tenant compromised in minutes.

A finance lead received three push prompts during a meeting and approved one to "make it stop" before checking.

Red flag: Attackers were logging in from Russia. Only caught because the follow-on activity was obvious enough to trip an alert.

What actually stops it

  • Number-matching MFA — you see a number on the login screen and have to type it into the app. Stops push fatigue cold.
  • FIDO2 / hardware keys — phishing-resistant by design; attackers can't trigger the key remotely.
  • Alert on bursts of push notifications to the same user — unusual activity should trigger auto-lockout.
  • User training: if you get a push you didn't ask for, deny it and change your password.

We turn on number matching as a default.

Microsoft made number matching the default in 2023, but many tenants never flipped the switch. We verify it everywhere for our clients.

Do this today
  • 1Turn on number matching in Microsoft Authenticator and other MFA systems this week.
  • 2Roll out FIDO2 / hardware keys for executives and finance staff.
  • 3Configure alerts for MFA burst attempts — 5+ denials in a short window is a red flag.
  • 4Train staff: unsolicited push prompts = deny + change password.
  • 5Remove SMS MFA fallback on accounts that matter — SIM swaps are a parallel vector.

Want help securing your business?

Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.

Schedule a quick security review

Keep reading

Tip #2 · Passwords & MFA

Why multi-factor authentication matters.

Microsoft found that MFA blocks 99.9% of automated account takeover attempts. If you haven't turned it on yet, this is the single highest-leverage move you can make.

ReadTip #5 · Passwords & MFA

The password manager habit.

Nobody has the memory to use 40 unique strong passwords. A password manager gives you that superpower in about ten minutes of setup.

Read
Back to all tips