Defending against MFA fatigue attacks: Pause before you approve

Published: April 14, 2026

Person holding a laptop surrounded by illustrated icons of spam messages, notifications, and email alerts

Multi-factor authentication (MFA) is one of the most effective ways to protect your accounts. However, attackers are increasingly using MFA fatigue tactics to bypass it.

At U of T, UTORMFA is required for staff, faculty, librarians and students. Understanding how these attacks work, and how to respond, helps protect your account and university data.

What is MFA fatigue?

MFA fatigue is the behaviour attackers exploit when users approve repeated or unexpected authentication prompts without verifying them. Attackers rely on this moment of inattention to gain access to accounts.

Common attacker tactics:

Sending repeated MFA notifications in quick succession to create urgency and pressure
Timing requests during work or school hours, when prompts may seem routine
Combining MFA spamming with phishing emails or messages requesting one-time passcodes

View a real-world example in the MFA Phish Bowl article.

How MFA fatigue attacks work

Attackers often start with phishing to steal your username and password. This can include:

Traditional phishing emails that trick users into entering credentials on fake websites

Adversary-in-the middle (AitM) phishing, where attackers intercept login sessions in real time. This can occur when credentials are entered on insecure or unencrypted networks, including public Wi‑Fi

Fake IT support calls, texts or SMS messages that request usernames, passwords or MFA codes

Reusing usernames and passwords from already compromised accounts on other services

Once attackers have your credentials, they attempt repeated logins. Each attempt triggers an MFA prompt on your device. This tactic is known as MFA spamming. The goal is to overwhelm you until you approve a request by mistake.

What to do when you receive an MFA prompt

Pause before you approve. Only approve a request if you started a login within the last minute
Deny unexpected requests. If you did not try to log in, do not approve the prompt
Report suspicious activity. Forward unusual MFA notifications to security.response@utoronto.ca

Why this matters

If you approve a fraudulent MFA request or share a one-time passcode, attackers can access your account. This may result in:

Impersonation, identity theft or fraud
Exposure of personal or university information
Loss of access to your accounts or university systems
Increased risk to university data and services

How phishing supports MFA attacks

Phishing messages often impersonate trusted organizations and try to create urgency. Their goal is to trick you into sharing login credentials or MFA passcodes, or approving a prompt you did not initiate.

Learn how to identify phishing in our Phishing 101 article.

DUO bypass codes: Use with care

UTORMFA users can generate 10 bypass codes to access their account if their mobile device is unavailable.

Store codes securely, such as printed and kept in a safe place
Do not save bypass codes on your computer or in email
Never share bypass codes. U of T staff will never ask for them

Set up your codes on the bypass codes webpage.

Strengthen your defences

Use strong, unique passwords for all accounts. Learn more in our Strong passwords article
Enable MFA on all supported services
Stay alert to unexpected login requests or messages
Contact security.response@utoronto.ca if you are unsure about an MFA request

Learn more

Visit the Multi-factor authentication (UTORMFA) FAQ page for more information and support.

Best practices & tips

Best practices & tips

Best practices & tips