What is MFA Prompt Bombing ?

MFA prompt bombing is an attack method used to bypass multi-factor authentication (MFA) security. This technique works by flooding users with MFA prompts to access a system, with the goal of finding a prompt that the user accepts.

MFA prompt bombing is an emerging cyber threat that organizations must understand and defend against. As multi-factor authentication has become more widely adopted to strengthen account security, threat actors have developed techniques to systematically target users with authentication requests in an attempt to gain access. Through repeated login prompts, hackers try to confuse or frustrate users into entering their credentials or approval into a malicious site or app.

This technique, known as MFA prompt bombing, allows attackers to bypass multi-factor authentication and gain access to sensitive accounts and data. Cybersecurity professionals and business leaders need awareness and education about this threat to protect their organizations. By understanding how MFA prompt bombing works and the strategies to mitigate risk, companies can avoid becoming victims of this increasingly common attack vector.

An Overview of Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or VPN. MFA adds an extra layer of security to user sign-ins and transactions.

Traditional authentication methods rely on a single factor — typically a password. However, passwords can be stolen, guessed, or hacked. Through MFA, unauthorized access can be prevented by requiring more than just a password. This could be in the form of a security key, a code that is sent to a mobile device, or a biometric scan.

MFA protects against phishing, social engineering, and password-cracking attacks. Even if a hacker obtained a user’s password, they would still need the second authentication factor to gain access. This multi-pronged approach significantly reduces the risk of account compromise.

There are several types of MFA options:

  • SMS text messages: A one-time code is sent to the user’s phone via text message. The user enters that code to verify their identity.
  • Authenticator apps: An app like Google Authenticator or Authy generates one-time codes for the user to enter. This method does not rely on the user having cell service or a text-enabled phone.
  • Security keys: A physical USB drive or Bluetooth device must be inserted or tapped to verify the login. This is a very secure form of MFA.
  • Biometrics: Technologies like fingerprint, facial, or voice recognition are used to authenticate the user’s identity. Biometrics are very convenient but can be spoofed in some cases.

MFA should be implemented for any system or application that contains sensitive data or funds to help reduce risks like account takeover and fraud. When set up properly, MFA is an effective control that enhances login security and protects user accounts.

How MFA Prompt Bombing Works

MFA prompt bombing begins with an attacker gaining access to a user’s username and password. The attacker then uses automation to generate and submit a high volume of login attempts for the user’s account. Each login attempt triggers an MFA prompt, like a text message with a one-time code or an authentication app notification.

The attacker continues generating login attempts at a rapid pace until the user accepts an MFA prompt, whether intentionally or accidentally. Accepting a prompt gives the attacker the authentication code they need to access the user’s account. At this point, the attacker has bypassed MFA and has  gained full access.

MFA prompt bombing preys on user psychology and limited human attention spans. When bombarded with a barrage of prompts in quick succession, a user is more likely to tap or enter a code without thinking in order to make the prompts stop. Even if the user realizes the mistake immediately, the attacker already has the access they need.

To defend against MFA prompt bombing, organizations should monitor for unusually high volumes of MFA prompts for a single user account. Prompt bombing also highlights the need for stronger authentication methods that are more difficult to bypass, such as FIDO2 security keys, biometric authentication, and risk-based MFA. By implementing adaptive MFA policies and robust authentication  monitoring, companies can reduce the risks of prompt bombing and other MFA bypass techniques.

Examples of MFA Prompt Bombing Attacks

MFA prompt bombing attacks target users who have access to critical systems by attempting to overwhelm them with authentication requests. These brute force attacks aim to deny access to legitimate users by locking them out of accounts and systems.

Automated Botnets

Cybercriminals often employ botnets, networks of infected computers, to carry out MFA prompt bombing attacks. The bots are programmed to repeatedly attempt authentication to target systems using lists of stolen or guessed credentials. Due to the high volume of login attempts, the target MFA systems lock out accounts to prevent unauthorized access. However, this also blocks valid users from accessing their accounts.

Credential Stuffing

Another common tactic used in MFA prompt bombing is credential stuffing. Hackers obtain lists of usernames and passwords from previous data breaches and leaks. They then stuff these credentials into the target system’s login page as quickly as possible. The repeated failed login attempts trigger the account lockout mechanisms, resulting in denial of service.

Mitigation Techniques for MFA Prompt Bombing

There are several methods organizations can employ to mitigate the threat of MFA prompt bombing:

  1. Use adaptive authentication: Systems that can detect and block automated bot activity. They analyze login velocity, geo-location, and other factors to determine suspicious access attempts.
  2. Employ IP whitelisting: Restrict access to only trusted IP addresses and block all others. This makes it difficult for hackers to conduct attacks from their own systems.
  3. Increase account lockout thresholds: Raising the number of failed login attempts allowed before an account is locked out reduces the effectiveness of brute force attacks while still preventing unauthorized access.
  4. Implement risk-based authentication: Require additional authentication factors for logins from unknown or suspicious locations/devices. This adds another layer of security for high-risk access attempts.
  5. Use reCAPTCHA: The reCAPTCHA system can detect and block automated bots. It presents users with challenges that are difficult for bots to solve in order to verify that a human is attempting access.

MFA prompt bombing threatens organizations by denying users access to their accounts and systems. However, with vigilance and proper safeguards in place, the risks posed by these kinds of brute force attacks can be significantly mitigated. Continuous monitoring and adaptation to evolving threats is key.

How to Detect MFA Prompt Bombing

To detect MFA prompt bombing, organizations should implement the following security measures:

Monitor for Anomalous Login Attempts

Monitoring for an unusually high volume of failed login attempts, especially across multiple accounts or sources, can indicate MFA prompt bombing activity. Cybercriminals are likely to try different passwords and usernames in an attempt to guess correct credentials. Organizations should set thresholds to detect these anomalies and receive alerts when they occur.

Review MFA Prompts and Responses

Reviewing MFA prompts and user responses can uncover signs of MFA prompt bombing such as:

  • Repeated invalid passcodes or push notification approvals from the same device.
  • Multiple MFA prompts for different accounts originating from a single device within a short time period.
  • MFA prompts for accounts the device has never accessed before.

Inspect VPN and Network Logs

Analyzing virtual private network (VPN) logs and network activity can also reveal MFA prompt bombing. Things to look for include:

  1. A device accessing the VPN from an unusual location. Cybercriminals often spoof locations to mask their identity.
  2. A device connecting to the network at an unusual time when the legitimate user is unlikely to log in.
  3. A device accessing a high number of accounts or sensitive resources within the network in a short period. This could indicate the hackers are “spraying and praying” with stolen credentials.

Deploy Additional Identity Security Controls

Organizations should implement additional identity security controls to reduce the risk of MFA prompt bombing like:

  • Requiring a second authentication factor for risky access like VPN logins or access to sensitive data. Using a FIDO2 passwordless authentication can make MFA prompt bombing much harder.
  • Monitoring for login attempts from locations that differ from a user’s typical access pattern. Unusual access locations can indicate account takeover.
  • Rotating and randomizing MFA passcodes to ensure hackers cannot reuse stolen codes.
  • Providing user education on spotting and reporting MFA prompt bombing attempts.

By maintaining vigilance and implementing a strong identity security strategy, organizations can detect and mitigate the threat of MFA prompt bombings. It is essential to implement a proactive security strategy across people, processes, and technology to fight off MFA prompt bombing attacks. 

Preventing MFA Prompt Bombing: Best Practices

Implement Multi-Factor Authentication

To prevent MFA prompt bombing, organizations should implement multi-factor authentication (MFA) across all internet-facing resources and user accounts. MFA adds an additional layer of security that requires not only a password but also another method of verification like a security code sent via text message or an authentication app. With MFA enabled, attackers using stolen credentials won’t succeed to gain access unless they also have access to the user’s phone or authentication device.

Use MFA Options Resistant to Prompt Bombing

Some MFA options are more susceptible to prompt bombing than others. SMS text messaging and voice calls can be compromised, allowing attackers to intercept authentication codes. Hardware tokens and authentication apps provide a higher level of security. Security keys, like YubiKeys, offer the strongest protection and should be used for administrators and privileged accounts whenever possible.

Monitor for MFA Prompt Bombing Attempts

Security teams should monitor user accounts, authentication requests for signs of prompt bombing attempts. Things like an unusually high number of MFA prompts in a short time span, MFA prompts originating from suspicious IP addresses, or reports of SMS or voice phishing messages claiming to be MFA codes can all indicate prompt bombing. Detected attacks should trigger an immediate password reset and review of the user’s account activity.

Provide MFA Education and Training

Educating users about MFA and prompt bombing helps reduce risk. Training should cover:

  • How MFA works and the security benefits it provides.
  • The various MFA methods available and their level of protection.
  • What a legitimate MFA prompt looks like for each method used and how to identify phishing attempts.
  • The importance of never sharing MFA codes or authentication devices with others.
  • Procedures to follow if a user receives an unsolicited MFA prompt or suspects their account has been compromised.

With the right controls and user education in place, organizations can reduce the threat of MFA prompt bombing and strengthen their users’ overall  security hygiene. However, as with any cybersecurity defense, continued vigilance and regular reviews of new threats and mitigation techniques are required.

Choosing an MFA Solution Resistant to Prompt Bombing

To prevent prompt bombing attacks, organizations should implement an MFA solution that uses dynamically generated one-time passcodes (OTPs) instead of SMS text messages. These solutions generate a new OTP each time a user logs in, so attackers cannot reuse codes to gain unauthorized access.

Hardware Tokens

Hardware tokens, such as YubiKeys, generate OTPs that change with each login. Since the codes are generated on-device, attackers cannot intercept them via SMS or voice call. Hardware tokens offer a high level of security but may require an upfront investment to purchase the tokens. They also require users to carry an additional physical device, which some may find inconvenient.

Authenticator Apps

Authenticator apps like Google Authenticator, Azure MFA, Silverfort, and Duo generate OTPs on the user’s phone without relying on SMS or voice calls. The OTPs change frequently and the apps do not transmit the codes over a network, so they are very difficult for attackers to intercept or reuse. Authenticator apps are a secure, convenient, and low-cost MFA solution for organizations on a budget. However, they still require users to have a device capable of running the mobile app.


Biometric authentication, such as fingerprint, face, or iris scanning, offers an MFA solution that is very resistant to prompt bombing and other cyber attacks. Biometrics are difficult for unauthorized users to replicate since they are based on the user’s physical characteristics. They are also very convenient for users since they do not require any additional devices or software. However, biometric systems typically require a sizable upfront investment to purchase the necessary scanning hardware and software. They may also raise privacy concerns for some.

MFA solutions that generate OTPs on-device, such as hardware tokens, authenticator apps, and biometrics, offer the strongest protection against prompt bombing and other automated attacks. Organizations should evaluate these options based on their security needs, budget, and user preferences. With the right MFA solution in place, prompt bombing can be effectively mitigated.

What to Do if You’ve Been a Victim of MFA Prompt Bombing

If your organization has been the victim of an MFA prompt bombing attack, it’s important to take the following actions  to mitigate risks and prevent further damage:

Investigate the Scope of the Attack

Work with your security team to determine how many user accounts were targeted and compromised. Check for unauthorized logins and review account activity logs to identify accounts that were accessed. Determine what data or resources the attackers may have had access too. This investigation will help determine the severity of the incident and appropriate response.

Reset Compromised Credentials

For any account that was compromised, immediately reset passwords and MFA prompts. Generate strong, unique passwords for each account and enable MFA using an authenticator app rather than SMS text messages. Make sure users enable MFA on all accounts, not just the one that was compromised. Attackers often use access to one account to gain access to others.

Review and Strengthen Account Security Policies

Review your security policies and procedures assigned to each user to identify and fix any security gaps  that contributed to the attack. For example, you may need to enforce stronger password policies, limit account login attempts, restrict account access based on location or IP address, or increase monitoring of account logins. Multi-factor authentication should be required for all accounts, especially admin accounts.

Monitor Accounts for Further Suspicious Activity

Closely monitor all accounts over the next several months for any signs of further unauthorized access or account takeover attempts. Attackers may continue to target accounts even after the initial compromise to maintain access. Continually check account login and activity logs to identify any anomalous behavior as early as possible.

Contact Law Enforcement if Necessary

For larger-scale attacks, contact local law enforcement and report the cybercrime. Provide every detail about the attack that could aid in an investigation. Law enforcement may also have additional recommendations on securing your network and accounts to prevent future attacks.

It is important to take prompt and thorough action in the event of an MFA prompt bombing attack in order to limit damage, secure your systems, and minimize the chances of further compromise. Monitoring and constant vigilance are necessary to protect against follow-up attacks by malicious actors following an attack. With quick response and collaboration, organizations can overcome MFA prompt bombing’s damaging impacts.