MFA prompt bombing, also called "push fatigue," is a cyberattack technique where hackers flood users with repeated multi-factor authentication push notifications until the victim accidentally or deliberately approves one just to stop the alerts. Security experts warn this tactic exploits human psychology and notification fatigue, making even MFA-protected accounts vulnerable when attackers have already stolen passwords through phishing or data breaches. Organizations are now encouraged to move away from simple push-based authentication toward more secure methods like number matching or hardware security keys.