MFA Bombing (also known as MFA Fatigue or MFA Push Spam) is an authentication bypass technique where an attacker, having already obtained valid user credentials, repeatedly triggers Multi-Factor Authentication (MFA) push notifications to the legitimate user's device. By overwhelming the user with continuous authentication requests, the attacker aims to either annoy the user into accidentally accepting a push notification or wear down their security vigilance through alert fatigue. This technique gained prominence in various high-profile breaches, including the 2022 Uber compromise.
Attack Path: #4 -> #1 -> #9 -> #4
Attacker has already obtained userID and password
This is a great example of how the TLCTC framework helps us understand attack sequences clearly. The ability to request MFA challenges repeatedly is not a code flaw (#2/#3), but rather an abuse of intended functionality (#1), which is then combined with social engineering (#9) to complete the identity theft (#4).
No additional updates are scheduled at this time.