// TL;DR
- Push-based MFA can be defeated by spamming approvals until the user taps yes.
- SIM swaps move the SMS code to the attacker's phone.
- The weak link is the approval decision, not the cryptography.
- Defense: number matching, phishing-resistant FIDO2 keys, and SIM-swap protections.
What happened
Multi-factor authentication is one of the highest-value controls you can turn on, and it is also widely misunderstood as unbreakable. It is not. The attacks that beat it do not break the math; they target the moment a human decides to approve.
MFA fatigue, or push bombing, is the simplest version. An attacker who already has the password triggers approval prompt after approval prompt. Eventually a tired or distracted user taps approve just to make the buzzing stop. The login succeeds, and the attacker is in.
SIM swapping attacks the SMS code path. By social-engineering a mobile carrier into porting the victim's number to a new SIM, the attacker receives the one-time codes directly. Again, no cryptography is broken; a help desk was talked into a change.
The hardening path is concrete. Move from raw push approvals to number matching, where the user must type a code shown on the login screen. Better still, deploy phishing-resistant FIDO2 security keys or passkeys, which cannot be relayed or approved by mistake. And lock down the carrier account with a port-out PIN so a SIM swap is not a phone call away.
MFA stops password reuse. It does not stop a tired human approving a push at 2 a.m.
How to defend against it
The through-line of every threat level: human briefing is the same: the exploited control is human, so the durable defense is a habit, not just a product. Watch the full breakdown above, and subscribe on YouTube for the weekly decode.
<- back to all episodes