What is MFA Bombing and How You Can Fight It

Updated 10/25/2022


What is MFA Bombing and How You Can Fight It

Multifactor authentication (MFA) is a layered approach to security where an application requires a user to provide two or more credentials to log in to a system. Often, the application will send a one-time password or a prompt to the user's device to verify their identity.

The idea is that even if a cybercriminal has a user's password, they may not have another form of verification to complete the login process. Unfortunately, hackers have discovered ways to take advantage of these methods with MFA Prompt Bombing.

What Is It?

MFA Prompt Bombing is a form of social engineering that takes advantage of "MFA fatigue," a situation where users get annoyed by an onslaught of prompts to verify their identity when using multifactor authentication. Often users will unknowingly accept an authentication attempt that's part of a cyber-attack.

The more recent and stronger forms of MFA are based on a framework called FIDO2. These types of MFA involve fingerprints, device cameras, and dedicated security keys to allow access and provide a more effortless user experience. Unfortunately, many organizations have yet to adopt these newer forms of MFA.

With the older methods of MFA, such as one-time passwords sent via SMS, criminals will flood a user with requests to annoy the victim, hoping they will enter their second-factor authentication to get the prompts to stop. It's even easier if the platform already supports push notifications. Then, one tap is all it takes to let the hackers take over. Often, the criminal can access the MFA enrollment portal and enroll their own device.

A hacking group called Lapsus$ has recently used this technique and successfully breached organizations such as Microsoft, Okta, and Nvidia. A member claimed they were able to log in to an employee's VPN on their laptop without anyone's knowledge.

Other methods of MFA Prompt Bombing include sending one or two prompts daily to the user. This attracts less attention, but it can still grind a victim down over time. Some criminals have also been known to call their targets, posing as members of their company and asking them to send an MFA request as part of a company process. It leaves organizations questioning their previously foolproof means of protection.

How You Can Fight It

One of the best ways to fight MFA Prompt Bombing is by implementing Risk-Based Authentication (RBA). RBA is a method where a user logging in is scored against a set of criteria during the authentication process that determines whether access is granted or denied.

For example, suppose someone is accessing their bank account from a device they usually don't use. In that case, they may be asked to answer more security questions or verify their identity in another way. Access will be denied if the system determines the risk is too high.

RBA can include criteria such as the following:

  • location
  • device familiarity
  • time of day
  • IP address
  • browser information
  • user ID
  • password
  • login trends

It's no secret that passwords alone are insufficient for keeping data secure. MFA of any kind is considered a best cybersecurity practice, but businesses need to understand that the older versions are more vulnerable than before. Upgrading to FIDO-2 compliant MFA and Risk-based authentication can significantly improve data security.

Definition of MFA prompt bombing and you can fight it with risk-based authentication


  1. https://www.loginradius.com/blog/identity/mfa-prompt-bombing-businesses/
  2. https://www.pingidentity.com/en/resources/identity-fundamentals/authentication/risk-based-authentication.html
  3. https://www.wired.com/story/multifactor-authentication-prompt-bombing-on-the-rise/
  4. https://www.cisa.gov/publication/multi-factor-authentication-mfa