MFA Prompt Bombing: Why Your Second Factor Isn't Saving You

Multi-factor authentication (MFA) was supposed to close a critical gap in identity security. It meant that, even if an attacker possessed the account credentials, they couldn't log in without the second factor. While that logic was sound, attackers have now figured out that they don't need to steal the second factor: they just need the user to hand it over.

If your workforce authenticates with push-based MFA, this attack is a live threat to your organization today. Tools like Specops Secure Access are built specifically to close that gap, but before getting into the fix, it's worth understanding how this technique works.

How MFA prompt bombing works

The attack requires three key elements to work:

Valid account credentials, usually sourced from breached password dumps on the dark web

How MFA prompt bombing works

The attack requires three key elements to work:

Valid account credentials, usually sourced from breached password dumps on the dark web

MFA Prompt Bombing: Why Your Second Factor Isn't Saving You

MFA Prompt Bombing: Why Your Second Factor Isn't Saving You

Other newsrooms on this story

Related reading

Modernizing Identity Security Beyond MFA

How attackers bypass MFA in financial services

MFA verifies who logged in. It has no idea what they do next.

Account Recovery Becomes a Major Source of Workforce Identity Breaches

Hackers bypass SonicWall VPN MFA due to incomplete patching

The New Phishing Click: How OAuth Consent Bypasses MFA

Related reading

Modernizing Identity Security Beyond MFA

How attackers bypass MFA in financial services

MFA verifies who logged in. It has no idea what they do next.

Account Recovery Becomes a Major Source of Workforce Identity Breaches

Hackers bypass SonicWall VPN MFA due to incomplete patching

The New Phishing Click: How OAuth Consent Bypasses MFA

Other newsrooms on this story