Real 2FA Prompt vs MFA Fatigue Attack
How to tell a legitimate two-factor authentication request from an MFA fatigue attack designed to trick you into approving fraudulent access.
Last reviewed: 1 June 2026
Multi-factor authentication (MFA) is one of the most effective account protections available, which is why attackers have developed ways to bypass it without breaking the technology. An MFA fatigue attack works by bombarding you with repeated authentication push notifications — sometimes dozens in a row — hoping you will tap 'Approve' to make them stop, or that exhaustion will lower your guard. You might also receive a call from someone claiming to be from your security team, asking you to approve 'just one' verification. Real authentication systems never require you to approve requests you did not initiate. Approving an unexpected push notification hands an attacker the keys to your account.
Side-by-side comparison
| Real 2FA prompt | MFA fatigue attack | |
|---|---|---|
| Trigger | Prompt arrives when you are actively logging in to a service | Prompts arrive when you are not trying to log in to anything |
| Volume | One prompt per login attempt you initiated | Repeated prompts in rapid succession at any hour |
| Follow-up contact | No follow-up call asking you to approve a request | Call from 'IT' or 'security' asking you to approve one notification |
| Approval action | Approving completes your own login | Approving grants access to an attacker's session |
| Number match | App may display a number to match before approving | Attacker cannot provide the correct match number — pressure to approve quickly |
| Context | Device, location, and time match your normal usage | Request from an unfamiliar device, location, or time |
Common red flags
- Multiple authentication prompts arriving when you are not trying to log in
- A call from 'IT security' asking you to approve an incoming notification
- Pressure to approve quickly before the request times out
- Prompts arriving at unusual hours or from unfamiliar locations shown in the app
- Requests that don't include a number-match that you can verify
- Any scenario where someone else knows you are receiving an MFA prompt
Verification steps
- Deny all unexpected authentication prompts — you can always log in again yourself when you are ready
- Use authenticator apps with number-matching enabled, which defeats most automated fatigue attacks
- Change your account password immediately if you receive unexpected MFA prompts, as it means your credentials may be compromised
- Contact your IT or security team via a separately verified channel, not via a number in the unexpected notification
- Review account login history to confirm no unauthorised access has occurred
What not to do
- Don't approve an MFA prompt you didn't trigger, even to make the notifications stop
- Don't approve a prompt because someone on the phone tells you it is safe to do so
- Don't assume that receiving MFA prompts means your account is still secure — it may mean your password is already known
- Don't delay changing your password if unexpected MFA prompts appear
A safe response
Deny the prompt and immediately change the password for the account being targeted. Contact your IT team or account provider through a separately verified contact method. If you already approved an unexpected prompt, assume the account is compromised and act immediately to secure it.
Frequently asked questions
If I just deny all the prompts, is my account safe?
Denying protects you from the MFA fatigue attack itself, but the fact that an attacker is sending prompts means they already have your password. Change it promptly to cut off further attempts.
What is number-matching MFA and does it help?
Number-matching requires you to enter a code displayed on the login screen into your authentication app before approving. Attackers cannot provide this number remotely, making automated fatigue attacks ineffective against it.
Can this happen to passkey-protected accounts?
Passkeys are not susceptible to MFA fatigue because they replace push notifications with a local device authentication tied to the specific website. If you have the option, switching to passkeys eliminates this attack category entirely.