What MFA fatigue is

MFA fatigue starts after the password is already gone (a previous breach, an infostealer log on Telegram, or an earlier phishing page). The attacker submits your credentials over and over. Every attempt fires a push notification: "Approve sign-in?" with a city name and a generic device. Eventually you tap Approve, in a meeting, half-asleep at 3am, or because you genuinely think the IT system is broken. The instant you do, the attacker is inside with a fully authenticated session that looks identical to yours.

The Uber September 2022 case

On September 15, 2022, an 18-year-old Lapsus$ member breached Uber using exactly this technique. Per Uber's post-incident update and follow-on Reuters reporting: the attacker bought a contractor's corporate password on a dark web marketplace. The account was protected by Duo push MFA. The attacker logged in repeatedly, firing a push each time. Researchers who interviewed the attacker on Telegram said the contractor was hit with more than 100 notifications in roughly an hour. He ignored most. The attacker then messaged him on WhatsApp posing as Uber IT, saying the alerts would stop after he approved one. He tapped Approve.

Lapsus$ pivoted off the VPN session into internal shares, found PowerShell scripts containing a hardcoded admin credential for Uber's PAM system (Thycotic), and from there reached AWS, GCP, Duo, OneLogin, SentinelOne, and Slack. They posted a screenshot in #all-employees. CISA later attributed Lapsus$ activity against Uber, Okta, Microsoft, Nvidia, T-Mobile, and Rockstar Games to the same group in a joint FBI advisory (CISA AA23-061A). The contractor did not click a phishing link. He tapped one push because the alerts would not stop.

Why push notifications were a step backward

SMS two-factor had a real flaw (SIM swap), but it also had an accidental defense that push removed: cost. SMS-triggering login attempts get rate-limited because each message costs the provider a fraction of a cent. Push notifications cost the attacker nothing once the auth endpoint accepts the request. A bot fires a login every two seconds for an hour; the phone vibrates 1,800 times.

Microsoft and Duo both reported a sharp 2022 rise in MFA fatigue telemetry. The fix was rate limits and number matching, rolled out across Authenticator, Duo, and Okta Verify in 2022-2023. The catch is that small and mid-tier SaaS apps still ship push-only MFA with no rate limit at all. Any product running its own custom MFA without inheriting from Auth0, Okta, Microsoft, or Duo is probably push-spammable today.

The 3 escalating MFA fatigue variants

The same core idea (spam push until exhaustion does the rest) shows up in three forms in real incident reports.

1. Pure flood

100+ push notifications inside 30 minutes. No social engineering. The bet is that the target taps Approve out of annoyance or by accident while dismissing a notification. This is what hit the Uber contractor before the WhatsApp message escalated, and what hit Cisco employees in May 2022 (Cisco Talos confirmed MFA push was used after the attacker exhausted other methods).

2. Timed pressure

The attacker waits for off-hours, then floods. 2am and 3am are favored because the target is half-awake and far more likely to tap Approve to silence the phone. Lapsus$ specifically picked target time zones where it would be the middle of the night.

3. Social engineering combo

The attacker also calls or texts the target claiming to be IT support: "We are running a security drill, please approve when prompted." Or: "Your account is being attacked, tap Approve when you see the next prompt." This is the Uber variant. It turns the push from "weird thing I do not understand" into "thing IT asked me to do."

The number-matching defense

Microsoft Authenticator (number matching enabled by default for all tenants in February 2023), Duo Security (Verified Duo Push, 2022), and Okta Verify (Number Challenge, 2023) all shipped the same fix. Instead of Approve / Deny, the phone shows a 2-digit code. The login screen on the attacker's browser shows a 2-digit code. The user must type the number from the login screen into their phone for the push to be approved.

This breaks MFA fatigue at the root. The attacker cannot tell the user which number to type, because it is generated by the identity provider and shown only on the attacker's browser. The user cannot accidentally Approve because there is no Approve button. They have to type a number, which means looking at a login screen they did not open. The first time a person sees the prompt and realizes they did not open a session, the attack ends. It is the single most effective MFA fatigue defense and it is free to turn on.

Other defenses

  • Lock the account after N failed MFA prompts. After 5 rejected pushes in 10 minutes, auto-lock and notify the security team. Microsoft Entra calls it "MFA fatigue threshold," Duo has "fraud lockout," Okta has "Suspicious Activity Reporting." Turns 100-push floods into 5-push lockouts that wake the SOC instead of the user.
  • Geo-fenced or device-bound conditional access. Block sign-in from countries the user has never logged in from, from anonymizing proxies, and from unmanaged devices. The Uber contractor's account was hit from a country they were not in; conditional access would have blocked the attempt before the push ever fired.
  • Move from push to passkeys or FIDO2 entirely. Hardware-bound passkeys (YubiKey, Titan, iCloud Keychain, Windows Hello) cannot be phished, push-spammed, or social-engineered. The credential signs a challenge bound to the origin domain. CISA has named phishing-resistant MFA the gold standard since 2022.

If you tapped Approve and the attacker is now in

Speed matters. The attacker has minutes, not hours, before persistence is established (inbox forwarding rule, OAuth grant, secondary token).

  1. Sign out of all sessions everywhere. Microsoft 365, Google Workspace, Okta, and Duo all have "sign out everywhere" in account security. Hit it within the first 5 minutes. This kills the stolen session token.
  2. Reset the password, then reset MFA. Re-enroll on a fresh device. The attacker may have added their own authenticator during the session.
  3. Audit recent activity. Check login locations, OAuth grants, email forwarding rules (the classic persistence trick: forward everything to attacker@gmail.com), and recovery email or phone changes.
  4. Notify IT or the security desk immediately. Not tomorrow. The team can revoke all OAuth grants, pull session tokens at the directory level, and start a hunt before the attacker pivots further.

Why this works on tired humans

It is not a clever exploit; it is cognitive science. Three failure modes show up in every post-incident report. Cognitive load fatigue: sustained vigilance depletes the prefrontal cortex. After 30 push notifications, the brain pattern-matches "incoming push" to "annoyance to dismiss." Choice fatigue: each decision burns finite executive function. Approve or Deny ten times in a row, and the eleventh decision is sloppy. Normalcy bias: when an event repeats, the brain reaches for the most ordinary explanation ("the system is being weird, I probably did try to log in"). At 3am the brain takes shortcuts because cortisol is low and the amygdala wants the phone to be quiet. Attackers know this, which is why timed pressure works.

Where SafeBrowz fits

MFA fatigue happens on the phone, so the push-spam moment itself is outside what a browser-layer scanner can see. The browser part is the earlier step: the phishing page that stole the password in the first place. That stolen password is the precondition for every MFA fatigue attack. SafeBrowz is a free Chrome, Firefox, and Edge extension that scans every URL before the page renders, using a 550+ brand database, JavaScript signatures for credential-harvesting kits, and AI content analysis for new lookalikes. If the credential-theft page never loads, the attacker never gets the password and the MFA fatigue stage never starts. Combine it with number matching and a phishing-resistant passkey for critical accounts, and the chain breaks at three independent layers. Install SafeBrowz free.

Frequently asked questions

What is MFA fatigue in one sentence?

MFA fatigue is when an attacker who already has your password floods your phone with push notifications until you tap Approve out of exhaustion, confusion, or because they also called you pretending to be IT support. The Uber 2022 breach by Lapsus$ is the textbook public case.

Will number matching stop every MFA fatigue attack?

It stops the pure flood and timed pressure variants completely, because there is no Approve button to tap. Social engineering combos are partially mitigated: an attacker on the phone can still try to dictate a number, but cognitive friction is much higher than tapping Approve. Number matching is the highest-leverage MFA fatigue defense available right now.

How did Lapsus$ keep firing push notifications without getting rate-limited?

In 2022, Duo's defaults did not aggressively rate-limit push from a single source. After Uber and Cisco, Duo, Microsoft, and Okta all tightened. Most major providers now throttle after 5-10 attempts in a short window, but smaller SaaS products with custom MFA often still do not.

I tapped Approve on a push I did not start. What do I do?

Sign out of all sessions in the account immediately, reset the password, re-enroll MFA on a fresh device, check for OAuth grants and email forwarding rules you did not create, and notify IT within the hour. Killing the stolen session token is the most urgent step.

Are passkeys really immune to MFA fatigue?

Yes. A passkey is a cryptographic key bound to a specific origin domain, stored on hardware. The browser signs a challenge from the real domain using the key. An attacker on a phishing domain gets a different challenge the key will not sign. Nothing to spam, nothing to tap. CISA names passkey-class FIDO2 phishing-resistant for this reason.

Why did the Uber contractor not just turn off notifications?

He tried. He initially ignored the prompts. The attack escalated because the attacker contacted him on WhatsApp posing as Uber IT and convinced him that approving one would end the disruption. That social engineering combo is why training, number matching, and lockout thresholds are all needed together.

Related reading

Bottom line: MFA fatigue is a behavioral attack on a tired human holding a buzzing phone, not a technical exploit. The Uber 2022 case ended with Lapsus$ in the company Slack because one contractor tapped Approve after a hundred pushes and a fake-IT WhatsApp. The fixes are concrete and free: turn on number matching, set lockout thresholds, move critical accounts to passkeys, and stop the phishing page that steals the password in the first place. Each layer alone is partial. Together they end the attack class.