Start with Identity
Subscribe
Breach teardown · Multiple (Uber and others)

MFA fatigue and push bombing: defeating MFA without breaking it

Affected: Multiple (Uber and others)Disclosed: 2022-09Root cause: Repeated push prompts until a user approves

What happened

In a string of incidents, including the 2022 Uber breach, attackers who already had a valid password bombarded the victim with repeated MFA push notifications, sometimes paired with a message posing as IT. Eventually the tired or confused user tapped approve, and the attacker was in. No vulnerability in the MFA system was exploited; the human was.

Root cause

Simple approve/deny push MFA gives the user a one-tap way to authorize a login they did not start. Combined with a leaked or phished password, an attacker can trigger prompts on demand until one is accepted. Social engineering ("this is IT, please approve") raises the success rate.

The identity lesson

MFA is necessary but not all MFA is equal. Possession-and-approval factors still rely on a human decision under pressure, which attackers can manipulate. The fix is to either remove the human judgment from the loop or make approval impossible to grant to a remote attacker.

How to defend

  • Turn on number matching and context (location, app) in push prompts so blind approval is not possible.
  • Rate-limit and alert on repeated failed or rapid MFA prompts.
  • Move high-value access to phishing-resistant MFA: FIDO2 keys and passkeys, which cannot be approved for a site the user is not actually on.
  • Train help desks and users on the specific "approve this prompt" social-engineering script.

Related

Guide: Passkeys 101, what is passwordless. Vendors: MFA and passwordless. Glossary: account takeover.

Compiled from public disclosures and incident reporting; see the linked sources. Independent, community-driven analysis, not a statement of fact about any party. See the disclaimer.