Security Guidance
Products and Services

What is MFA Bombing and how do we protect against it?

May 12, 2023

What is MFA Bombing?

By now most of us are familiar with multi-factor authentication (MFA) - aka 2-factor authentication (2FA) or 2-step verification (2SV). In summary, MFA is a security measure that requires users to provide multiple forms of authentication in order to access a particular system or device. This can include something you know - entering a password, something you have - providing a code from a security token or mobile app, or something you are - using biometric authentication (fingerprint or facial recognition).

MFA has become a mandatory security control for many organisations and systems, which has made account compromise more difficult for the bad guys. Inevitably this means the bad guys are adjusting their focus to try and exploit weaknesses in these security technologies.

One such weakness is MFA bombing (aka MFA Fatigue) - a tactic used by attackers since approx. 2020 to overwhelm individuals who use multi-factor authentication as a security measure.

MFA bombing is a type of attack where an attacker sends a large number of authentication requests to a user's MFA-protected device. The goal of the attack is to overwhelm the user with so many requests that they become confused or frustrated, and either provide the attacker with the necessary authentication information or simply give up and disable MFA on their device.

One common way attackers carry out MFA bombing is by using automated tools to send a large number of authentication requests to the user's device. These tools are designed to simulate the actions of a legitimate user, making it difficult for the user to distinguish the real requests from the fake ones.

Another tactic attackers may use is to send fake authentication requests from a variety of different sources. This can include using multiple accounts on different social media platforms, or using different phone numbers to send text messages containing authentication codes. By using a variety of different sources, the attacker can make it more difficult for the user to identify the fake requests and ignore them.

How do we protect against it?

Nothing focuses the mind more in this industry than a live security incident impacting business systems and data. And nothing makes big tech security companies implement new resolutions faster than when these incidents happen to them.

Last year we saw a peak in MFA bombing attacks targeting users and companies that included big tech. Successful MFA Bombing attacks resulted in full account compromise of VIPs and privileged administrators, impacting systems at Uber, Okta, Microsoft and Cisco to name a few.

Hacking groups such as Lapsu$ and Russian nation-state actors Cozy Bear, have been known to use this technique to compromise the MFA protected accounts of users and admins across the globe.

Looking through the numerous posts on this subject, you will find the typical responses to most account security problems - for example:

• Ensure strong complex passwords

• Always use unique passwords - Dont reuse passwords on multiple accounts

• Educate your users in these MFA bypass techniques

• Dont approve MFA push prompts that you haven't initiated

All these are valid recommendations, but dont help if your credentials have been breached or the bad guys are bombing your mobile with push requests at 3am and you just want it to stop.

Well you'll be pleased to know there are other more preventative options available from certain MFA providers.

Cisco's Duo Security - Verified Duo Push

Duo refer to this attack method as Push Phishing and has various new & improved tools in the products arsenal  to help protect against these attacks.

Verified Duo Push enhances the standard push notification by adding a verification code to the process. With Verified Push enabled, an authenticating user will be presented with an onscreen code that needs to be input to successfully login. The push notification will be sent to the users device, where they will input the onscreen code to complete authentication or alternatively report this is a fraudulent request if the user is not trying to login at that time.

This process prevents the user from accidentally approving login requests, if they are not trying authenticate.

Verified Push can be configured to use between 3 and 6 digits for the verification code.

Verified Duo Push in Action

To enable Verified Duo Push, login into the Duo console and navigate to:

Authenticators Policy Settings > Authentication Methods.

Check the box to enable Verified Duo Push and select the number of digits (defaults to 3) that you want your users to enter. Dont forget to save your policy on exit.

Duo Authentication Methods

Risk-based factor Selection

In addition Duo Advantage or Premier users have the option to use Risk-based factor Selection. This authentication method offers greater security than a standard push, without the constant impact to normal user experience.

This feature automatically detects anomalies and known attack patterns, through analysis of authentication requests, then adapts to enforce a greater level of multifactor security. WebAuthn FIDO2 security keys,  hardware tokens, passcodes and of course Verified Push can all be used as valid higher methods of authentication when risky behaviour is detected.

As an example, you may choose to enable Verified Duo Push by default on all VIP or Admin users in your organisation, but standard users could be enabled for Risk-based Factor Selection.

Duo Risk-based Factor Selection policy

More information about Duo Authentication Methods and Verified Push can be found here.

Microsoft MFA Number Matching

If you're a Microsoft MFA customer then dont worry there is also an option for you.

In a similar way to Cisco Duo, Microsoft has also added a verification code to their authentication push requests, known as Number Matching.

Microsoft Number Matching is available in the following scenarios:

• Multifactor authentication

• Self-service password reset

• Combined SSPR and MFA registration during Authenticator app set up

• AD FS adapter

• NPS extension

MS MFA Number Matching in Action

You can enable the Number matching experience by signing into the Azure AD portal & navigating to:

Security > Authentication Methods > Microsoft Authenticator Settings

The good news is that Microsoft will begin rolling out tenant wide changes for all users of Microsoft Authenticator Push Notifications from the 8th May 2023, to ensure Number Matching is enabled by default. Unfortunately though there will not be an option to disable the experience once the rollout has completed.

MS MFA Number Matching Configuration


MFA Bombing or MFA Fatigue is an increasing threat to organisations, with more hacking groups moving to this option in order to bypass MFA security controls and compromise accounts.

Several big tech companies have been victims of these attacks, some of which have resulted in fairly significant impact to the business, brand, intellectual property and reputation.

The protection options mentioned above from Cisco and Microsoft, highlight only a couple of vendors who are moving in this direction. For instance Okta, and more are bound to follow their lead.

Don't become the next MFA Bombing victim - review, test and utilise these new features to help protect your users from this threat.

If you would like to know more about these MFA solutions for your organisation, please get in touch with us here at Ironshare and we will be happy to assist.


Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.

Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.

Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.


Ironshare is a provider of Information and Cyber Security services.

we went with; wizard pi