No items found.
No items found.
Resources
Blog
Using Push Notifications for MFA is a Security Liability
No items found.

Using Push Notifications for MFA is a Security Liability

Written By
Published On
Mar 3, 2025

Push notifications are everywhere. From social media notification to app alerts, they’ve become a seamless way to engage users, including for authentication. Many companies have adopted push-based MFA as an easy, user-friendly way to verify logins. Instead of manually entering a one-time passcode (OTP), users simply tap "Approve" on their device.

The added convenience is good, right? But what happens when attackers exploit that convenience?

Threat actors have turned push notification bombing, also known as MFA fatigue attacks, into a simple yet highly effective way to break into accounts. By flooding users with repeated authentication requests, they rely on human error, frustration, and confusion to gain unauthorized access.

Here's the bottom line: if you're still using push-based MFA, attackers will exploit it. Here's how they do it and how to stop them.

How push notification bypass works

Push-based authentication assumes that the person approving the request is the one trying to log in with no verification if that is indeed the case. Attackers take advantage of this assumption in primarily the following two ways, both of which can be boiled down to user manipulation.

MFA fatigue attacks (push bombing)

This method relies on repeatedly sending MFA requests via push notifications until the victim gives in and approves one.

How it works:

  • The attacker obtains a user's credentials through phishing or another method.
  • They attempt to log in multiple times, triggering push notifications.
  • The victim eventually approves a request to stop the flood of notifications.

Many users assume the notifications are a glitch or mistake and approve the request without thinking. Attackers count on this response.

Social engineering with IT support

Some attackers go beyond spamming notifications and directly contact the victim. They pretend to be IT support and convince the user to approve an MFA request.

How it works:

  • The attacker triggers a push notification.
  • They call or message the victim pretending to be an IT administrator.
  • They claim the request is for a routine security check or system update.
  • The victim, believing they are speaking with a legitimate IT representative, approves the request.

Because many employees trust IT staff and do not question their requests, this tactic is highly effective.

Breaches that exploited push notifications

Okta MFA Fatigue Attack (January 2022): The Lapsus$ hacking group bombarded an Okta third-party support engineer with endless push notifications. Eventually, they clicked “approve,” giving attackers Remote Desktop Protocol (RDP) access to Okta’s customer support panel and data related to two customers over a five-day period.

Cisco Attack (2022): Attackers used voice phishing to steal an employee’s credentials, then overwhelmed them with push notifications. One accidental approval later, Cisco’s network was breached.

Uber Breach (September 2022): MFA fatigue strikes again. Attackers sent nonstop push notifications to an Uber contractor until they gave in. That single click led to unauthorized access to Uber’s internal systems.

Why push-based MFA fails

Push notifications cannot defend against modern attacks. They fail as a security measure for several reasons.

  • Users often approve notifications without verifying them.
  • There is no guarantee that the person approving the request is the legitimate user.
  • If an attacker has a user's password, push MFA is easy to bypass.
  • Attackers can automate login attempts to launch large-scale attacks.

If a security measure can be bypassed simply by overwhelming a user with notifications, it is not effective.

How to protect your organization

The most effective way to eliminate a threat vector is by eradicating it from your environment. After all, what doesn’t exist cannot be attacked. Some key components of an effective defense include:

  • Phishing-resistant MFA with device-bound credentials that cannot be tampered with, stolen, or intercepted
  • Device security compliance by evaluating device risk prior to granting access to ensure that both the user and their device are authorized and secure
  • Universal deployment of strong authentication on every device. Threat actors will exploit the weakest link so you need to make sure that phishing-resistant MFA is deployed across every operating system with no option to fallback to weak factor

Conclusion

Push notifications were designed for convenience, not security. Attackers have found easy ways to manipulate users into approving fraudulent authentication requests, making push-based MFA a weak security measure.

The best way to stop push notification attacks is to eliminate push-based authentication entirely. Phishing-resistant MFA provides a stronger alternative that ensures only legitimate users on secure devices can gain access.

Get started with Device360 today
Popular blogs
No items found.

Using Push Notifications for MFA is a Security Liability

Download

Push notifications are everywhere. From social media notification to app alerts, they’ve become a seamless way to engage users, including for authentication. Many companies have adopted push-based MFA as an easy, user-friendly way to verify logins. Instead of manually entering a one-time passcode (OTP), users simply tap "Approve" on their device.

The added convenience is good, right? But what happens when attackers exploit that convenience?

Threat actors have turned push notification bombing, also known as MFA fatigue attacks, into a simple yet highly effective way to break into accounts. By flooding users with repeated authentication requests, they rely on human error, frustration, and confusion to gain unauthorized access.

Here's the bottom line: if you're still using push-based MFA, attackers will exploit it. Here's how they do it and how to stop them.

How push notification bypass works

Push-based authentication assumes that the person approving the request is the one trying to log in with no verification if that is indeed the case. Attackers take advantage of this assumption in primarily the following two ways, both of which can be boiled down to user manipulation.

MFA fatigue attacks (push bombing)

This method relies on repeatedly sending MFA requests via push notifications until the victim gives in and approves one.

How it works:

  • The attacker obtains a user's credentials through phishing or another method.
  • They attempt to log in multiple times, triggering push notifications.
  • The victim eventually approves a request to stop the flood of notifications.

Many users assume the notifications are a glitch or mistake and approve the request without thinking. Attackers count on this response.

Social engineering with IT support

Some attackers go beyond spamming notifications and directly contact the victim. They pretend to be IT support and convince the user to approve an MFA request.

How it works:

  • The attacker triggers a push notification.
  • They call or message the victim pretending to be an IT administrator.
  • They claim the request is for a routine security check or system update.
  • The victim, believing they are speaking with a legitimate IT representative, approves the request.

Because many employees trust IT staff and do not question their requests, this tactic is highly effective.

Breaches that exploited push notifications

Okta MFA Fatigue Attack (January 2022): The Lapsus$ hacking group bombarded an Okta third-party support engineer with endless push notifications. Eventually, they clicked “approve,” giving attackers Remote Desktop Protocol (RDP) access to Okta’s customer support panel and data related to two customers over a five-day period.

Cisco Attack (2022): Attackers used voice phishing to steal an employee’s credentials, then overwhelmed them with push notifications. One accidental approval later, Cisco’s network was breached.

Uber Breach (September 2022): MFA fatigue strikes again. Attackers sent nonstop push notifications to an Uber contractor until they gave in. That single click led to unauthorized access to Uber’s internal systems.

Why push-based MFA fails

Push notifications cannot defend against modern attacks. They fail as a security measure for several reasons.

  • Users often approve notifications without verifying them.
  • There is no guarantee that the person approving the request is the legitimate user.
  • If an attacker has a user's password, push MFA is easy to bypass.
  • Attackers can automate login attempts to launch large-scale attacks.

If a security measure can be bypassed simply by overwhelming a user with notifications, it is not effective.

How to protect your organization

The most effective way to eliminate a threat vector is by eradicating it from your environment. After all, what doesn’t exist cannot be attacked. Some key components of an effective defense include:

  • Phishing-resistant MFA with device-bound credentials that cannot be tampered with, stolen, or intercepted
  • Device security compliance by evaluating device risk prior to granting access to ensure that both the user and their device are authorized and secure
  • Universal deployment of strong authentication on every device. Threat actors will exploit the weakest link so you need to make sure that phishing-resistant MFA is deployed across every operating system with no option to fallback to weak factor

Conclusion

Push notifications were designed for convenience, not security. Attackers have found easy ways to manipulate users into approving fraudulent authentication requests, making push-based MFA a weak security measure.

The best way to stop push notification attacks is to eliminate push-based authentication entirely. Phishing-resistant MFA provides a stronger alternative that ensures only legitimate users on secure devices can gain access.

Using Push Notifications for MFA is a Security Liability

Attackers exploit push-based MFA using fatigue attacks and social engineering. Learn why push notifications are a security risk and how to stop these threats.

Push notifications are everywhere. From social media notification to app alerts, they’ve become a seamless way to engage users, including for authentication. Many companies have adopted push-based MFA as an easy, user-friendly way to verify logins. Instead of manually entering a one-time passcode (OTP), users simply tap "Approve" on their device.

The added convenience is good, right? But what happens when attackers exploit that convenience?

Threat actors have turned push notification bombing, also known as MFA fatigue attacks, into a simple yet highly effective way to break into accounts. By flooding users with repeated authentication requests, they rely on human error, frustration, and confusion to gain unauthorized access.

Here's the bottom line: if you're still using push-based MFA, attackers will exploit it. Here's how they do it and how to stop them.

How push notification bypass works

Push-based authentication assumes that the person approving the request is the one trying to log in with no verification if that is indeed the case. Attackers take advantage of this assumption in primarily the following two ways, both of which can be boiled down to user manipulation.

MFA fatigue attacks (push bombing)

This method relies on repeatedly sending MFA requests via push notifications until the victim gives in and approves one.

How it works:

  • The attacker obtains a user's credentials through phishing or another method.
  • They attempt to log in multiple times, triggering push notifications.
  • The victim eventually approves a request to stop the flood of notifications.

Many users assume the notifications are a glitch or mistake and approve the request without thinking. Attackers count on this response.

Social engineering with IT support

Some attackers go beyond spamming notifications and directly contact the victim. They pretend to be IT support and convince the user to approve an MFA request.

How it works:

  • The attacker triggers a push notification.
  • They call or message the victim pretending to be an IT administrator.
  • They claim the request is for a routine security check or system update.
  • The victim, believing they are speaking with a legitimate IT representative, approves the request.

Because many employees trust IT staff and do not question their requests, this tactic is highly effective.

Breaches that exploited push notifications

Okta MFA Fatigue Attack (January 2022): The Lapsus$ hacking group bombarded an Okta third-party support engineer with endless push notifications. Eventually, they clicked “approve,” giving attackers Remote Desktop Protocol (RDP) access to Okta’s customer support panel and data related to two customers over a five-day period.

Cisco Attack (2022): Attackers used voice phishing to steal an employee’s credentials, then overwhelmed them with push notifications. One accidental approval later, Cisco’s network was breached.

Uber Breach (September 2022): MFA fatigue strikes again. Attackers sent nonstop push notifications to an Uber contractor until they gave in. That single click led to unauthorized access to Uber’s internal systems.

Why push-based MFA fails

Push notifications cannot defend against modern attacks. They fail as a security measure for several reasons.

  • Users often approve notifications without verifying them.
  • There is no guarantee that the person approving the request is the legitimate user.
  • If an attacker has a user's password, push MFA is easy to bypass.
  • Attackers can automate login attempts to launch large-scale attacks.

If a security measure can be bypassed simply by overwhelming a user with notifications, it is not effective.

How to protect your organization

The most effective way to eliminate a threat vector is by eradicating it from your environment. After all, what doesn’t exist cannot be attacked. Some key components of an effective defense include:

  • Phishing-resistant MFA with device-bound credentials that cannot be tampered with, stolen, or intercepted
  • Device security compliance by evaluating device risk prior to granting access to ensure that both the user and their device are authorized and secure
  • Universal deployment of strong authentication on every device. Threat actors will exploit the weakest link so you need to make sure that phishing-resistant MFA is deployed across every operating system with no option to fallback to weak factor

Conclusion

Push notifications were designed for convenience, not security. Attackers have found easy ways to manipulate users into approving fraudulent authentication requests, making push-based MFA a weak security measure.

The best way to stop push notification attacks is to eliminate push-based authentication entirely. Phishing-resistant MFA provides a stronger alternative that ensures only legitimate users on secure devices can gain access.

Using Push Notifications for MFA is a Security Liability

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Subscribe on SpotifySubscribe on Apple

Push notifications are everywhere. From social media notification to app alerts, they’ve become a seamless way to engage users, including for authentication. Many companies have adopted push-based MFA as an easy, user-friendly way to verify logins. Instead of manually entering a one-time passcode (OTP), users simply tap "Approve" on their device.

The added convenience is good, right? But what happens when attackers exploit that convenience?

Threat actors have turned push notification bombing, also known as MFA fatigue attacks, into a simple yet highly effective way to break into accounts. By flooding users with repeated authentication requests, they rely on human error, frustration, and confusion to gain unauthorized access.

Here's the bottom line: if you're still using push-based MFA, attackers will exploit it. Here's how they do it and how to stop them.

How push notification bypass works

Push-based authentication assumes that the person approving the request is the one trying to log in with no verification if that is indeed the case. Attackers take advantage of this assumption in primarily the following two ways, both of which can be boiled down to user manipulation.

MFA fatigue attacks (push bombing)

This method relies on repeatedly sending MFA requests via push notifications until the victim gives in and approves one.

How it works:

  • The attacker obtains a user's credentials through phishing or another method.
  • They attempt to log in multiple times, triggering push notifications.
  • The victim eventually approves a request to stop the flood of notifications.

Many users assume the notifications are a glitch or mistake and approve the request without thinking. Attackers count on this response.

Social engineering with IT support

Some attackers go beyond spamming notifications and directly contact the victim. They pretend to be IT support and convince the user to approve an MFA request.

How it works:

  • The attacker triggers a push notification.
  • They call or message the victim pretending to be an IT administrator.
  • They claim the request is for a routine security check or system update.
  • The victim, believing they are speaking with a legitimate IT representative, approves the request.

Because many employees trust IT staff and do not question their requests, this tactic is highly effective.

Breaches that exploited push notifications

Okta MFA Fatigue Attack (January 2022): The Lapsus$ hacking group bombarded an Okta third-party support engineer with endless push notifications. Eventually, they clicked “approve,” giving attackers Remote Desktop Protocol (RDP) access to Okta’s customer support panel and data related to two customers over a five-day period.

Cisco Attack (2022): Attackers used voice phishing to steal an employee’s credentials, then overwhelmed them with push notifications. One accidental approval later, Cisco’s network was breached.

Uber Breach (September 2022): MFA fatigue strikes again. Attackers sent nonstop push notifications to an Uber contractor until they gave in. That single click led to unauthorized access to Uber’s internal systems.

Why push-based MFA fails

Push notifications cannot defend against modern attacks. They fail as a security measure for several reasons.

  • Users often approve notifications without verifying them.
  • There is no guarantee that the person approving the request is the legitimate user.
  • If an attacker has a user's password, push MFA is easy to bypass.
  • Attackers can automate login attempts to launch large-scale attacks.

If a security measure can be bypassed simply by overwhelming a user with notifications, it is not effective.

How to protect your organization

The most effective way to eliminate a threat vector is by eradicating it from your environment. After all, what doesn’t exist cannot be attacked. Some key components of an effective defense include:

  • Phishing-resistant MFA with device-bound credentials that cannot be tampered with, stolen, or intercepted
  • Device security compliance by evaluating device risk prior to granting access to ensure that both the user and their device are authorized and secure
  • Universal deployment of strong authentication on every device. Threat actors will exploit the weakest link so you need to make sure that phishing-resistant MFA is deployed across every operating system with no option to fallback to weak factor

Conclusion

Push notifications were designed for convenience, not security. Attackers have found easy ways to manipulate users into approving fraudulent authentication requests, making push-based MFA a weak security measure.

The best way to stop push notification attacks is to eliminate push-based authentication entirely. Phishing-resistant MFA provides a stronger alternative that ensures only legitimate users on secure devices can gain access.

Book

Using Push Notifications for MFA is a Security Liability

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Download the book

Download the book

Download the book
suggested resources
Zero Trust
Passwordless
DevOps
CIAM
Workforce
Infographic
Secure Workforce
Thought Leadership
Product
No items found.
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept