Many companies are moving away from SMS-based two-factor authentication (2FA) in favor of prompt-based (push) 2FA. It’s easy to see why. Push notifications remove the risk of SIM swapping and recycled phone numbers, two of the biggest SMS security headaches, while giving users a simpler and faster way to approve logins.
But while push-based 2FA is generally safer than SMS codes, it is not invincible. Hackers have developed creative ways to bypass it, often without users realizing what’s happening. If you use push-based authentication for your accounts—and you probably do—it’s worth understanding how attackers exploit it and what you can do to protect yourself.
One of the most common techniques is called an MFA Fatigue Attack. Imagine your password is compromised, and someone tries logging into your account. They trigger a flood of push notifications to your phone, hoping that annoyance, confusion, or even simple curiosity will make you tap “approve” just to make the pop-ups stop. Some companies try to fight this by showing a number in the login request that you have to match on your phone, but even then, people sometimes select the right number without thinking.
The rule here is simple: never approve an unexpected login request. If you get one, it means someone has your password, and your first move should be to change it immediately. Hackers also take things a step further using social engineering. They might call or message you, pretending to be from your bank or IT department, and tell you to approve the request as part of “verification.” Real companies will never ask for this.
Another weak spot comes from SMS fallback options. Some platforms let you use push-based 2FA but still keep SMS codes as a backup method. That’s a problem because attackers can bypass the stronger push system entirely by targeting the weaker SMS one through SIM swapping or phone number recycling. If your service lets you remove SMS fallback—or at least remove your phone number if it’s not required—do it.
Malware-based attacks are even more dangerous. If your device is infected, hackers can automatically approve login prompts by simulating taps on your screen. Some malware shows fake overlays, tricking you into approving what looks like a harmless system notification when in reality, it’s approving a login. That’s why companies are increasingly requiring biometrics like fingerprint or face scans to approve sensitive actions, but even then, attackers can bombard you with back-to-back requests until you give in.
The best defense here is device security. Avoid sideloading shady apps, review app permissions carefully, and keep your operating system up to date. If you suspect malware is on your phone, remove it immediately rather than trusting it with sensitive security actions.
Prompt-based 2FA is a big step forward compared to old-school SMS or email codes, but it’s not perfect. Understanding how attackers exploit it—from MFA fatigue and social engineering to malware overlays and SMS fallback—is the first step toward staying secure. Whenever possible, enable biometric verification, keep your devices clean, and consider stronger options like passkeys or hardware security keys for your most important accounts.
Cybersecurity doesn’t have to be complicated. A little awareness goes a long way toward keeping your accounts—and your sanity—safe.
