MFA Fatigue (Push Bombing)
An attack where criminals flood a victim's phone with push-notification approval requests, hoping frustration causes the victim to accidentally approve one.
Also known as: push bombing, MFA fatigue attack, approval fatigue
Last reviewed: 10 June 2026
When an attacker has already obtained a victim's username and password, they can trigger the push-based MFA notification as many times as they want. By sending dozens of approval requests in quick succession, the attacker hopes the victim will approve one by accident, become annoyed and approve just to stop the notifications, or be deceived by a follow-up social-engineering call claiming to be IT support.
High-profile corporate breaches have been attributed to MFA fatigue attacks. Victims often report that the relentless notifications began late at night or early in the morning to maximise confusion. The technique bypasses MFA entirely without cracking any cryptography.
Consumers and employees should never approve a push notification they did not initiate themselves. If unexpected MFA requests arrive repeatedly, treat it as evidence that your password has been compromised and change it immediately. Switching to number-matching push (where you must type a code shown on the login page) or to FIDO2 passkeys eliminates push-bombing entirely.