MFA bombing – how to bypass strong authentication?

MFA bombing how to bypass strong authentication

There has been a lot of buzz in the cybersecurity internet lately about MFA bombing or MFA fatigue, two names for the same method that cybercriminals use to bypass multi-factor authentication. In this article, we explain what MFA bombing or MFA fatigue is and how to defend against it.

MFA bombing, and Uber attack.

MFA bombing became famous after the recent attack on Uber. An Uber employee’s account was compromised as a result of sending hundreds of compromised push notifications. Deceived Uber employee has let a cybercriminal into the corporate network and thus caused an image crisis for the transportation technology giant.

MFA bombing
MFA bombing

How does MFA bombing work?

MFA bombing is nothing more than persistent harassment of the user with subsequent push notifications urging them to accept the transaction. The cybercriminal hopes that the user will get tired (hence the name MFA fatigue) of rejecting subsequent notifications and, at some point, will simply agree to the query appearing every now and then on the smartphone screen. 

MFA fatigue

The average smartphone user in the US receives more than 46 notifications on their mobile device per day. That’s almost two notifications an hour. Every half hour, the user needs to break away from what he is doing at the moment to look at the phone. Cybercriminals make good use of this fact, knowing that there is a good chance that the victim will, at some point, unknowingly agree to something they shouldn’t.

MFA fatigue
MFA fatigue

How to defend against MFA bombing? How to avoid MFA fatigue?

CISA, the cybersecurity and infrastructure agency has consistently urged organizations to implement MFA for all users and all services. However, the organization emphasizes that not all forms of MFA are equally safe, as the example of MFA bombing, which efficiently circumvents MFA based on push notifications, is perfectly demonstrated.

As a result, the new CISA guidelines emphasize the need to use an MFA resistant to this type of attack, an MFA that does not use push notifications, i.e. authentication based on biometrics (fingerprint or face scan) or physical hardware keys.

Using this method as the second factor of authentication and eliminating the push authentication option fully protects against phishing and social engineering. The user has the option of logging in to the application only by confirming his identity biometrically or with a physical security key.

How to implement FIDO2 authentication?

The best way to start using FIDO2 authentication based on both biometrics and hardware keys is to use the user access security broker approach. This approach to the implementation of MFA in organizations developed by Secfense allows you to implement MFA on any application in a no-code way, i.e., without the need to interfere with its code. The ability to install MFA without coding allows the organization to implement scalability, i.e., the ability to use MFA on any application and any number of applications. This means that the Secfense broker gives you the opportunity to secure the entire company and all applications with authentication resistant to phishing, MFA bombing, or MFA fatigue, in other words, attacks on older MFA methods.

What if currently secure MFA methods are defeated?

Nothing is permanent in cybersecurity. Criminals are finding new ways to circumvent more and more advanced defense methods. The trend is also heading in a direction unfavorable for companies operating on the Internet. A few years ago, it was said that if cybercrime were a country, it would rank 13th in the gross domestic product compared to other countries. Statistics from 2021 indicate that in just a few years, cybercrime has gone up ten places in the ranking and is now in third place after the economies of the US and China.

Timeless security

It is, therefore, reasonable to suspect that the currently most secure MFA methods will one day be defeated. The Secfense broker has a chance to protect the organization against the time factor as well. The characteristic of this technology is that it allows you to implement any authentication method in the same easy way. Therefore, companies can reach for the currently most secure FIDO2 standard, as well as use methods previously used in the organization. The broker also guarantees that future yet unknown authentication methods will be added in the same easy and scalable way always to ensure the best level of security for user and application authentication.   

Antoni takes care of all the marketing content that comes from Secfense. Read More


We are faced with new challenges every day. We must always be one step ahead of the attackers and know what they are going to do before they do it. We are convinced that the User Access Security Broker will bring security to a new level, both for those working at the office and from home. For us, working with Secfense is an opportunity to exchange experience with developers who put great value on out-of-the-box thinking.

Krzysztof Słotwiński

Business Continuity and Computer Security Officer

BNP Paribas Bank Poland

As part of the pre-implementation analysis, we verified that users utilize a wide range of client platforms: desktop computers, laptops, tablets, smartphones, and traditional mobile phones. Each of these devices differs in technological advancement, features, and level of security. Because of this, and also due to the recommendation of the Polish Financial Supervision Authority (UKNF), we decided to introduce additional protection in the form of multi-factor authentication mechanisms based on FIDO. As a result, users of our applications can log in safely, avoiding common cyber threats such as phishing, account takeover, and theft of their own and their clients’ data.

Marcin Bobruk



We are excited to partner with Secfense to enhance our user access security for our web apps. By integrating their User Access Security Broker, we ensure seamless and secure protection for our applications and systems, delivering superior security and convenience to our customers.

Charm Abeywardana

IT & Infrastructure

Visium Networks

Before investing in Secfense, we had the opportunity to talk to its existing clients. Their reactions were unanimous: wow, it’s so easy to use. We were particularly impressed by the fact that implementing their solution does not require the involvement of IT developers. It gives Secfense a huge advantage over the competition, and at the same time opens the door to potential customers who so far were afraid of changes related to the implementation of multi-factor authentication solutions.

Mateusz Bodio

Managing Director


Even when the network and infrastructure are secured enough, social engineering and passwords can be used to gain control of the system by attackers. Multifactor authentication is the current trend. Secfense addresses this and allows you to build zero trust security and upgrade your current systems to passwordless applications within minutes, solving this problem right away,” said Eduard Kučera, Partner at Presto Ventures and cybersecurity expert – former Director in hugely successful Czech multinational cyber security firm Avast.

Eduard Kučera


Presto Ventures

One of the biggest challenges the world is facing today is securing our identity online. That’s why we were so keen to have Secfense in our portfolio. They make it possible to introduce strong authentication in an automated way. Until now, organizations had to selectively protect applications because the deployment of new technology was very hard, or even impossible. With Secfense, the implementation of multi-factor authentication is no longer a problem, and all organizations can use the highest standards of authentication security.

Stanislav Ivanov

Founding Partner

Tera Ventures

Two-factor authentication is known to be one of the best ways to protect against phishing; however, its implementation has always been difficult. Secfense helped us solve that problem. With their security broker, we were able to introduce various 2FA methods on our web applications at once.

Dariusz Pitala

Head of IT