Skip to main contentArrow Right

Multi-factor authentication (MFA) does a lot for account security by requiring users to present at least two factors for secure access. While it improves upon relying solely on password-based authentication, MFA remains susceptible to specific bypass attacks. A popular and pervasive such attack is prompt bombing.

Microsoft reported the rise of prompt bombing and related attacks in 2021–2022. According to their report, there were over 31,800 such attacks per month in that span. And in 2023, security experts in the UK warned about the rise of prompt bombing attacks aided by machine learning.

Let’s look at these threats, how they work, and how to prevent them.

What is MFA prompt bombing?

Prompt bombing helps threat actors force their way into users’ accounts. It’s a favored technique of cybercriminals, capitalizing on what's known as "MFA fatigue." MFA fatigue happens when users feel the strain of repeated authentication requests in both their personal and professional lives.

Having to memorize several sets of credentials, along with methods for inputting them (not to mention poorly executed CAPTCHAs and similar tests), can make end users less willing or able to take proper precautions. This is where prompt bombing attacks come in, taking advantage of MFA fatigue to take over user accounts.

Through prompt bombing, attackers pose as rightful account holders and gain access to sensitive systems and data they shouldn’t have. After account takeover, attackers can move laterally, hold the company for ransom, corrupt IP, and disrupt operations with forced downtime.

The term “prompt bombing” is often used interchangeably with names like “prompt injection,” “MFA spamming,” or just “MFA fatigue attack.” They’re all the same in practice.

Learn about other broken authentication attacks

How MFA prompt bombing works

Prompt bombing allows attackers to bypass MFA protections by getting users to authenticate false MFA prompts. Generally, attackers do this by bombarding users with illegitimate requests.

Three common strategies used by attackers include:

  • Request bursts: Attackers send a multitude of MFA requests to a user in quick succession to overwhelm them. The goal is to either confuse users into authenticating or coerce them into accepting a request out of frustration (i.e., desire to stop the notifications).

  • Slow and steady requests: Alternatively, attackers may spread prompts over a longer duration, sending small daily requests to remain undetected. Attackers draw less attention to themselves but are still likely to wear down users’ defenses.

  • Targeted requests: Attackers may also supplement either of the above methods with social engineering. They may contact the victim through calls or emails, posing as an authoritative stakeholder to make the fraudulent request seem more legitimate.

Regardless of the attack method employed, a single successful account breach can harm the targeted individual and any other person whose data the compromised account can access.

How to protect against MFA bombing

Installing standard cyber defense infrastructure such as identity and access management (IAM) and content filters helps defend against these attacks. Specific protections like number matching, recommended by CISA and other agencies, are an excellent next step. Additionally, the following methods should be employed to enforce security.

Train your users

Protection against prompt bombing begins with user awareness.  You must train individuals who use a given login method to access an application or website how to keep their accounts safe. 

In a corporate environment, you should educate staff during onboarding and at regular intervals. As for clients and other users, clear, in-depth instructions about account safety should be available and accessible. 

Use strong (preferably passwordless) authentication methods

Beyond training, another fundamental protection against MFA prompt bombing attacks is securing the baseline factors used to log in. This means using strong passwords or preferably using passwordless authentication.

Methods like magic links, social logins, and biometrics are less likely to be compromised than passwords are. If attackers aren’t able to make it past the first authentication factor, prompt bombing attacks are stopped at the source.

Ensuring user credentials are as strong as they can be is a strong first line of defense against prompt bombing and other identity-focused attacks.

Implement automatic account lockout controls

Aside from making individual credentials stronger, you should also strive for account management practices that identify risk to further restrict access. Consider configuring accounts to lock users out after a designated number of login attempts fail. Regaining access could require a more stringent user identity test, such as biometric proof or contacting an IT representative.

Another more advanced method is anomaly detection, which considers the number of attempts and other factors surrounding the attempt, like IP addresses.

Similarly, access sessions themselves should be limited. You should prompt all users to re-authenticate regularly to avoid lingering and potentially unaccounted-for access, especially if your company is in a regulated industry.

If implemented thoughtfully, these measures can keep attackers out without causing undue inconvenience to legitimate users.

Move to phishing-resistant MFA

The best defense against MFA bombing is phishing-resistant MFA, which complements strong authentication with behavioral monitoring and risk-based authentication escalations.

If the user aligns with a security baseline, logging in from the usual IP address and at the regular time, for example, the system may permit a standard login. However, in the presence of anomalies or other risk factors, adaptive authentication can initiate a "step-up" authentication, requesting additional credentials to confirm the user's identity.

Drag-and-drop MFA with Descope

Not all MFA implementations are created equal. Building and maintaining MFA deployments – including protecting them against bypass attacks like prompt bombing – requires a lot of time, effort, and expertise.

Descope can help. Our no / low code CIAM platform helps organizations easily add MFA controls to their app using visual workflows. Customers can also add risk-based MFA by creating branching user paths based on the risk level of the login attempt. Connectors with external fraud prevention systems like reCAPTCHA Enterprise and Traceable can further secure your user journeys.

Fig: Descope risk-based MFA flow with reCAPTCHA

Sign up for a Free Forever account to get started with Descope. Have questions about our platform? Book time with our auth experts to learn more.