Two-factor authentication is a strong protection — but one type of attack does not try to break it. It tries to wear you down. It is called MFA fatigue, and knowing it exists is most of the defence.
How the attack works
Some two-factor systems use a push notification: you log in, and a prompt appears on your phone asking you to approve or deny. It is convenient — one tap.
An MFA fatigue attack abuses that convenience. The attacker already has your password, from a breach or phishing. They cannot get in without the second factor, so they trigger the login over and over. Your phone fills with approval prompts — at work, late at night, again and again. The attacker is betting that eventually you will tap "approve" — out of confusion, annoyance, or just to make the notifications stop. One tap is all they need.
Why it works on people
It works because it targets a person, not a system. The technology is functioning correctly the whole time. The attack exploits annoyance and the assumption that a prompt must mean something legitimate is happening. A flood of prompts late at night is disorienting, and "just approve it so it stops" is a very human reaction.
How to defend against it
The defences are clear once you know the attack. The first rule: never approve a prompt you did not personally start. An approval request you did not trigger does not mean "tap to clear it" — it means someone has your password, which is itself the alert. Many systems now use number-matching, where you must enter a number shown on the login screen rather than just tapping yes — this defeats blind approval entirely. Authenticator-app codes and hardware security keys are not vulnerable to prompt-spam at all.
What to do if it happens
If prompts you did not request start arriving, do not approve any of them — and treat it as confirmation your password is compromised. Change that password immediately, and change it anywhere you reused it. The attack itself is the warning that the first factor has already fallen.
The takeaway
MFA fatigue does not break two-factor authentication — it tries to get you to bypass it for them. The defence is a single firm rule: never approve a login prompt you did not start. An unexpected prompt is not an inconvenience to clear; it is a sign to change your password.