Yet another challenge is undermining the effectiveness of MFA: MFA fatigue attacks. In an MFA fatigue attack (sometimes also referred to as an “MFA bombing” or “push bombing” attack), a hacker who already possesses a valid username and password bombards the rightful user with repeated MFA login approval requests until the user, out of confusion or frustration, finally approves one.\
This low-tech social engineering tactic has proven alarmingly effective. In fact, one recent Microsoft study observed over 382,000 MFA fatigue attacks over a 12-month period. Even more worrisome, the same study found that about 1% of users will blindly accept the very first unexpected MFA prompt they receive. This number undoubtedly increases with each sequential prompt, and each of those approvals can mean an attacker silently slips past your defenses.
High-profile breaches at organizations like Uber and Cisco have been traced back to MFA fatigue tactics. In Uber’s case, an attacker obtained a contractor’s password from the dark web and used it to trigger endless MFA prompts; eventually the exhausted user accepted one, enabling the famous 2022 breach. By protecting the password layer, organizations can prevent the MFA fatigue flood of notifications altogether.
MFA fatigue attacks start with compromised credentials. Attackers can easily find vast lists of compromised passwords or full username + password pairs on the dark web due to the prevalence of data breaches. A recent Enzoic report found that 1 in 10 employees at Fortune 500 companies have had their employee login info compromised from 2022 to 2024, with compromises increasing year-over-year. Unfortunately, stolen and weak passwords remain rampant, and they stand as the most common cause of a data breach. That means an attacker’s easiest path into your network is often walking right through the front door with a legitimate password. Once they have it, they don’t need to hack your MFA technology; they just exploit the user. Every MFA prompt an attacker sends is made possible by that initial password compromise. To truly stop MFA fatigue attacks before they even start, you must prevent those credential compromises at the source.
Push notifications are no longer confined to your phone alone:
Smartwatches: If you have a paired smartwatch, you may see approval requests on your wrist, potentially at inconvenient times (like while driving or in a meeting).
Desktops: Some people relay mobile notifications with their desktop, leading to on-screen pop-ups.
Tablets: Tablets used for work or personal use can also receive these notifications.
On the bright side, multiple devices mean you won’t miss a legitimate login prompt. On the downside, it multiplies the annoyance factor if attackers orchestrate an MFA fatigue attack. More devices mean more potential notifications and a greater temptation to clear them out of frustration.
Passwords remain the most scalable, user-friendly, and common authentication factor. Regardless of how sophisticated the other factors in your authentication are, the password layer remains your first and most crucial line of defense. Why?
Block Attackers at the Door
If a threat actor can’t compromise your password, they’ll never get the chance to begin the cascade of MFA prompts.
Prevent Initial Compromise
A stolen or weak password is often the first domino to fall in a cyberattack. Once attackers have it, they can test it against your systems.
User Convenience
Some employees might see repeated MFA notifications as a nuisance. Minimizing password-related attacks helps ensure that the MFA prompt is only triggered for legitimate requests.
Enzoic directly addresses the root cause of MFA fatigue attacks and other threats by making sure compromised passwords never get a foothold in your environment. It protects the password layer, continuously monitoring and blocking unsafe credentials before they can be used by attackers. By integrating Enzoic into your authentication systems (such as Active Directory or other login flows), you create a dynamic defense that keeps stolen or weak passwords out and ensures only strong, uncompromised passwords are in use.
Here’s how Enzoic strengthens your authentication security against MFA fatigue and other credential-based threats:
Every MFA fatigue attack is really a story about a password that shouldn’t have been in use. It’s time to close that chapter for good. By adopting Enzoic, organizations can neutralize credential-based threats before they escalate. Don’t wait for a flood of malicious MFA prompts or the next breach report to expose weak links in your defense. Take a proactive stance now: strengthen your front line with Enzoic and make compromised passwords a problem of the past. Your first factor, the password, is now your strongest defense.
Ready to stop attackers from the start? Strengthen your password layer with Enzoic. Because when passwords are secure and uncompromised, you’re protected from the fatigue of push-bombing threats and a whole lot more.
AUTHOR
Josh Parsons
Josh is the Product Manager at Enzoic, where he leads the development and execution of strategies to bring innovative threat intelligence solutions to market. Outside of work, he can be found at the nearest bookstore or exploring the city’s local coffee scene.
Explore free for up to 20 users. Save hours of admin time and simply get started with a password monitoring solution.