What is MFA Fatigue Attack?
An MFA fatigue (or push bombing) attack floods a user with repeated MFA approval prompts after criminals obtain their password, hoping the victim eventually taps Approve out of annoyance or confusion. It exploits human patience rather than technical weakness.
Why MFA Fatigue Attack matters for Australian businesses
With cyberattacks on Australian businesses increasing year on year, understanding your security tools and strategies is critical. The Australian Cyber Security Centre reports an attack every six minutes, and small and medium businesses are increasingly targeted. Having the right defences in place is not optional — it is essential for protecting your data, your clients, and your reputation.
For small and medium businesses in particular, understanding an MFA fatigue attack is essential to maintaining a secure, efficient, and resilient IT environment. Whether you are reviewing your current defences or planning improvements, knowing how these threats work and how to stop them will help you have more informed conversations with your IT provider and make better decisions for your business.
Related terms
MFA • Passkeys • Conditional Access
How All IT Services can help
At All IT Services, we help businesses across Sydney, Brisbane, Melbourne, and regional NSW defend against an MFA fatigue attack as part of our comprehensive cybersecurity solutions. If you have questions about how this fits into your IT strategy, contact our team for a no-obligation consultation.
Frequently Asked Questions
What is an MFA fatigue attack?
Attackers with a stolen password trigger wave after wave of MFA push notifications until the user approves one, granting the attacker access.
How do we defend against MFA fatigue?
Use number matching or code entry instead of simple Approve buttons, limit prompt frequency, train staff to report unexpected prompts, and consider phishing-resistant passkeys.
What should staff do if they get an unexpected MFA prompt?
Deny it, change their password immediately and report it to IT — an unexpected prompt almost always means the password is already in criminal hands.