Multi-factor Fatigue (MFA) fatigue attacks, also known as MFA bombing or prompt bombing, exploit human psychology rather than technical vulnerabilities. Attackers combine stolen credentials with persistent MFA notification spam, wearing down users until they accept a prompt just to make the notifications stop.
Exploit Techniques
The attacker triggers unanticipated MFA prompts to the user's device. Potentially after phishing the credentials.
Under pressure or fatigue, the user accepts to stop the bombardment
Allthenticate eliminates MFA Fatigue
By only accepting requests from browsers that were marked as trusted by the user using secure authentication and relying on the laws of physics to prove proximity, you can eliminate MFA fatigue while offering one of the smoothest login experiences possible.
One-Time Secure Pairing
Initial QR code scan establishes an unbreakable bond:
► Server generates unique cryptographic nonce
► Browser displays in QR code
► Phone scans and verifies through secure channel
This browser will then be trusted for all future MFA attempts
Proving Proximity (with Bluetooth)
Once trust is established with the browser and the phone is paired with the computer (connected over Bluetooth), users are re-logged-in automatically by sending a cryptographic challenge to the phone through the local computer over Bluetooth — confidently asserting that phone is near the computer that loaded the website.
With your phone acting as a proximity-bound hardware token, the user experience is surreal.
Logins either require the phone to be physically close or a typical secure MFA interaction.