Threats

MFA Prompt Bombing: Why Your Second Factor Isn't Saving You

This analysis examines how MFA prompt bombing — a technique where attackers flood users with repeated push authentication requests until one is accidentally or fatigue-approved — successfully bypassed multi-factor authentication in the 2022 Cisco breach, resulting in 2.8GB of data exfiltration. The technique exploits human psychology rather than technical flaws, making push-based MFA implementations vulnerable regardless of the underlying cryptographic strength. Despite widespread awareness of this attack vector since the Cisco incident, many organizations continue to rely on push MFA without implementing additional controls like number matching, location context, or risk-based authentication. The article argues that security leaders must treat push MFA as a transitional technology and migrate toward phishing-resistant authentication methods, including FIDO2 security keys and certificate-based authentication, to close this persistent gap.

View on Graph

Overview

  • This analysis examines how MFA prompt bombing — a technique where attackers flood users with repeated push authentication requests until one is accidentally or fatigue-approved — successfully bypassed multi-factor authentication in the 2022 Cisco breach, resulting in 2.8GB of data exfiltration.
  • The technique exploits human psychology rather than technical flaws, making push-based MFA implementations vulnerable regardless of the underlying cryptographic strength.
  • Despite widespread awareness of this attack vector since the Cisco incident, many organizations continue to rely on push MFA without implementing additional controls like number matching, location context, or risk-based authentication.
  • The article argues that security leaders must treat push MFA as a transitional technology and migrate toward phishing-resistant authentication methods, including FIDO2 security keys and certificate-based authentication, to close this persistent gap.

Sources