MFA Prompt Bombing (Noun) [Word Notes]

MFA prompt bombing is a social‑engineering attack that overwhelms a user’s secondary authentication channel with a torrent of approval requests. After an adversary obtains a valid username and password, they repeatedly trigger login attempts, each generating a push notification or SMS to the victim’s device. The constant barrage creates irritation, and many users eventually approve the request simply to stop the noise. This technique bypasses the intended security of multi‑factor authentication by exploiting human fatigue rather than technical flaws, turning a protective measure into an entry point.

The method has been confirmed in real‑world campaigns. Members of the Lapsus ransomware group openly discussed unlimited MFA calls, claiming that a single accepted prompt grants access to enrollment portals and additional devices. Russian APT28, also known as Cozy Bear, has employed prompt bombing in sophisticated espionage operations, demonstrating its appeal to nation‑state actors. Even popular culture reflects the concept; the 1992 film *Sneakers* dramatizes a similar “push‑button” scenario, highlighting how attackers can manipulate routine security checks. These examples show that prompt bombing is not theoretical—it is actively compromising enterprises worldwide.

Defending against MFA prompt bombing requires both technical controls and user awareness. Organizations should enforce rate‑limiting on authentication attempts, require explicit justification for multiple prompts, and monitor for anomalous login patterns. Deploying hardware‑based or biometric second factors reduces reliance on push notifications that can be spammed. Regular training reminds employees to treat unexpected MFA requests as potential attacks, especially outside normal working hours. Integrating these measures into a broader zero‑trust framework ensures that compromised credentials cannot be leveraged without additional verification. As MFA adoption grows, addressing prompt fatigue is essential to preserve the integrity of multi‑factor defenses.