This post was first published in 2022 and has been updated.
With recent reports of successful MFA prompt bombing, also known as push bombing or MFA fatigue attacks, RSA has received more requests for practical guidance on how to reduce risk. We’ve previously outlined how attackers use repeated approval prompts to pressure users into accepting a fraudulent sign-in attempt. This post builds on that foundation and focuses on specific RSA ID Plus configurations you can use to detect suspicious patterns, limit push approvals when risk is elevated, and strengthen your defenses against MFA prompt bombing.
MFA prompt bombing, also called push bombing or an MFA fatigue attack, is when an attacker repeatedly triggers MFA approval requests to a user’s device. The goal is to overwhelm the user until they approve one request, often after the attacker has already obtained the user’s password.
This works because push-based multi-factor authentication relies on a user to deny suspicious prompts in the moment. Factors that require deliberate user input, such as entering a one-time passcode or using a phishing-resistant authenticator, are generally less susceptible because an attacker cannot simply spam approvals.
MFA prompt bombing, push bombing, and MFA fatigue attacks typically begin after an attacker has obtained a valid username and password. The attacker attempts to log in and repeatedly triggers push-based MFArequests to the user’s registered device. Each request asks the user to approve or deny the sign-in attempt.
Because push authentication is designed for convenience, users can approve access with a single tap. If enough prompts are sent in succession, a distracted or fatigued user may eventually approve one request, allowing the attacker to complete the authentication process.
Push-based authentication works well in legitimate scenarios because it eliminates the need for a physical authenticator and reduces friction compared to hardware tokens or manually entered one-time passcodes. However, this approve-or-deny model relies on the user to recognize and reject suspicious attempts, which creates an opportunity for prompt bombing attacks.
Types of MFA prompt bombing attacks
While most MFA bombing attacks target push notifications, there are variations that security teams should understand:
- Push Bombing (Classic MFA Fatigue): Repeated push notifications are sent until the user approves a request.
- Hybrid Social Engineering Attacks: After initiating push bombing, the attacker contacts the user, impersonating IT support, and instructs them to approve the request.
- OTP Flooding Attempts: In some cases, attackers repeatedly trigger one-time passcodes through SMS or other delivery channels, attempting to confuse the user or combine the tactic with phishing.
Understanding these variations helps organizations design layered defenses rather than relying on user vigilance alone.
Prompt bombing attacks succeed because they target human behavior as much as technology. When users receive repeated authentication prompts, phone calls, or messages, attackers aim to create confusion, urgency, and routine approval behavior. That is why defending against MFA fatigue starts with giving users clear expectations, simple reporting paths, and reliable ways to verify suspicious requests.
User need ongoing training to maintain awareness
Users should know that any authentication request they did not initiate should be treated as suspicious. Annual security awareness training can support compliance, but it rarely prepares users for fast-moving social engineering attempts. Short, repeated guidance is more effective because it reinforces what suspicious behavior looks like in real situations.
Users need a clear way to respond
When users receive an unexpected push notification or follow-up message, they should know exactly what to do next. That means providing a simple, well-known way to report the issue and contact the service desk or security team. The easier this process is, the more likely users are to act quickly.
Verification reduces social engineering risk
Attackers often combine push bombing with calls, texts, emails, or chat messages to pressure users into approving a request. Organizations should define how support teams legitimately contact users and give employees a trusted method to verify communications before taking action.
Questions to ask
Security teams should consider the following questions to defend against MFA prompt bombing attacks:
- Do users know how to respond to an unexpected push request?
- Can users quickly report a suspicious authentication event?
- Do employees know how to contact the service desk or security team?
- Do users understand how legitimate support outreach should happen?
- Is there a clear process for verifying whether a message, call, or prompt is real?
In prompt bombing scenarios, attackers generate repeated push approvals in a short period of time. Users often deny or ignore early prompts, but a single accidental approval can complete the sign-in. That makes pattern-based detection essential.
Look for indicators such as:
- Repeated push denials or timeouts for the same user within a short window
- Multiple MFA prompts in rapid succession, especially outside normal login behavior
- Login attempts from unfamiliar devices, IP addresses, or locations tied to the same account
- A spike in push activity across multiple users, which can indicate a broader campaign
A single denied push does not indicate an attack. Multiple denials or timeouts clustered together, especially when paired with other risk signals, should trigger investigation.
Detecting prompt bombing in RSA ID Plus
Each authentication event in RSA ID Plus is logged with detailed event data that can be used to identify prompt bombing patterns. Security teams should monitor for repeated or abnormal occurrences of events such as:
- 702 – Approve authentication failed: User response timed out
- 703 – Approve authentication failed: User denied approval
- 802 – Device biometrics authentication failed: Timed out
- 803 – Device biometrics authentication failed
When these events appear in succession for the same user, they can indicate an active MFA bombing attempt. Pairing these log patterns with device, location, and confidence signals improves accuracy and helps teams respond before a successful approval occurs.
Effective defense requires more than telling users not to approve unknown prompts. Organizations should combine user education, stronger factor options, and monitoring to reduce opportunities for abuse.
Push-based MFA is vulnerable because it depends on a user making the right decision in the moment. Factors that require deliberate user action, such as one-time passcodes or phishing-resistant authenticators, are generally less susceptible to repeated approval requests.
Key defensive measures include:
- Educate users to deny unexpected prompts, report them immediately, and reset credentials when appropriate.
- Prefer stronger factors for higher-risk applications, users, and access scenarios.
- Monitor for repeated denied or timed-out prompts and alert on suspicious patterns.
- Secure MFA enrollment and recovery so attackers cannot register a new device after access is gained.
- Notify users when authenticators are added, removed, or changed.
- Investigate signs of compromised credentials and review whether MFA policies allow too much access with limited verification.
When these controls work together, organizations limit their exposure to prompt bombing attacks.
Within RSA ID Plus, authentication methods are mapped to assurance levels, and administrators can create policies that determine which assurance level is required based on context. When risk is elevated, policies can require stronger authentication methods instead of allowing push approval.
RSA ID Plus also supports a more dynamic approach through Identity Confidence. The confidence engine evaluates authentication attempts in real time and returns a high or low confidence score. This signal can be used in policy decisions to allow push approvals when confidence is high and require step-up authentication when confidence is low.
For users flagged as higher risk, the high-risk user list enables tighter controls. Security tools can mark a user as high risk based on alerts or suspicious activity, and policies can then deny access or require higher-assurance factors to reduce exposure to MFA fatigue tactics.
If you approved an MFA request you did not initiate, treat it as a potential account compromise. Report the incident to your security team immediately, then change your password and review recent sign-in activity for suspicious sessions or devices. Your security team should also revoke active sessions, confirm no new authenticators were enrolled, and require step-up authentication before restoring access.
MFA prompt bombing, also called push bombing or an MFA fatigue attack, is when an attacker repeatedly triggers MFA approval requests to a user’s device. The goal is to overwhelm the user until they approve one request, often after the attacker has obtained the user’s password.
Do not approve it. Deny the request if you have that option, and report it to your security team as soon as possible. If you receive repeated prompts, stop and verify whether anyone is attempting to sign in to your account. As a precaution, reset your password and follow your organization’s guidance for validating device and account security.
Detection is usually pattern-based. Look for repeated push denials or timeouts for the same user within a short period, bursts of MFA prompts outside normal login behavior, or sign-in attempts from unfamiliar devices or locations. These patterns are stronger signals when correlated with other risk indicators.
Reduce reliance on user approvals alone. Use policies that limit when push authentication is allowed, require step-up authentication when risk is elevated, and monitor for repeated denied or timed-out requests. Securing MFA enrollment and recovery is also important so attackers cannot register a new device after gaining access.
Push MFA can be effective, but it is more susceptible to fatigue-based tactics because it depends on a user making the right decision quickly. Organizations can reduce risk by combining push with risk-based controls, stronger authentication options for higher-risk access, and alerting on abnormal prompt patterns.
One-time passcodes are generally less susceptible to prompt bombing because the attacker cannot spam approvals. However, OTP methods can still be targeted through phishing or interception depending on the delivery method. Many organizations use OTP and phishing-resistant authenticators as step-up options when risk is elevated.
Yes, that is a common next step. After gaining access, attackers may attempt to register a new authenticator to maintain persistence. Defenses include securing enrollment workflows, requiring higher assurance for device changes, and notifying users when authenticators are added or removed.
