Multi-factor authentication (MFA) is one of the most effective tools we have to protect accounts from compromise. However, attackers have adapted their techniques and now focus on exploiting human behavior instead of technical weaknesses. One increasingly common method is known as an MFA fatigue attack.
What Is an MFA Fatigue Attack?
An MFA fatigue attack occurs when a threat actor repeatedly attempts to log in to an account using stolen credentials. Each failed login triggers an MFA prompt such as a push notification, phone call, or approval request sent to the legitimate user.
The attacker’s goal is simple. By sending many prompts in a short period of time, they hope the user will eventually approve one out of frustration, confusion, or distraction. Once approved, the attacker gains access as if they were the authorized user.
Warning Signs to Watch For
You may be experiencing an MFA fatigue attempt if you notice:
- Multiple MFA prompts you did not initiate
- Authentication requests arriving back-to-back
- Login alerts from unfamiliar locations or devices
Any MFA prompt that you did not personally trigger should be treated as suspicious.
What You Should Do
If you receive an unexpected MFA request:
- Do not approve it
- Deny the request if possible
- Change your password immediately
- Report the activity to CIRT@utmb.edu
Approving a single fraudulent request can allow an attacker to bypass MFA entirely.
Final Thoughts
MFA is a powerful security control, but it relies on users making the right decision at the right time. Treat MFA prompts like a locked door to your account. If you did not request access, do not approve it. Staying alert helps protect both your personal account and the organization as a whole.