Understanding MFA Bombing: A Growing Cybersecurity Threat

Seung Ha
Director, Infrastructure
& Cybersecurity

Mario Sanmiguel
Cybersecurity Engineer

Imagine it’s the end of a long workday, and just as you’re heading out, your phone starts flooding with urgent notifications for a password change — “Allow” or “Don’t Allow.” You haven’t requested a change, yet the prompts persist relentlessly and block the use of your phone. Faced with frustration, what would you do? This scenario illustrates a sophisticated cyberattack known as MFA Bombing. 

What is MFA Bombing?  

MFA Bombing, or Multi-Factor Authentication Bombing, is a tactic where attackers repeatedly send MFA verification prompts to a victim’s device. The goal is to fatigue the user into mistakenly granting access by pressing “Allow,” often just to stop the incessant notifications. The close placement of the “Allow” and “Don’t Allow” buttons exacerbates the risk, as does the extension of these notifications to devices like smartwatches, where a wrong tap is even more likely. 

A Real-World Example: A case reported by Krebs on Security highlighted a user who received over 30 MFA requests in quick succession. Days later, the attack escalated with a deceptive phone call from someone posing as Apple support, a classic move in social engineering. This incident underscores not just the persistence of the MFA Bombing but also its combination with other tactics to exploit user fatigue and steal credentials. 

Prevention Strategies:  

  • To combat MFA Bombing, awareness is key. Users must be educated to recognize that unsolicited MFA requests are likely indicators of a cyberattack. 
  • Passwordless Authentication: Services from companies like Okta and Microsoft Entra ID now offer passwordless logins, which rely on device recognition rather than traditional passwords. This method ensures that even if attackers bypass MFA through fatigue tactics, they cannot access the account without the registered device. 

Conclusion: The MFA Bombing is a potent reminder of the evolving challenges in cybersecurity. By combining user education with advanced security technologies like passwordless authentication, life sciences firms can fortify their defenses against this insidious threat. Vigilance and the right tools are essential to safeguarding against such sophisticated attacks. 

Celito is a team of experienced IT Executives, Industry Professionals, and Business Consultants focused on the life sciences industry.

Celito Tech, Inc.


2100 Geng Road Suite #210

Palo Alto, CA 94303


842 Main St.

Redwood City, CA 94063

+1 650.374.2121

Celito Tech, Inc.


Celito Tech India Pvt Ltd.

Flat No.A105, 1st Floor

Aditya's Imperial Heights,

Hyderabad, Rangareddi-500049

Telangana, India

+91 984.902.4174

Privacy Policy  |  Cookie Policy  |  Terms of Service  |  Copyright 2021 © Celito Technology Inc