A 2FA Fatigue Attack – also known as 2FA Bombing or 2FA Spamming – is a cyberattack strategy where attackers have gained access to the password of the target account and repeatedly send two-factor push authentication requests to the targets registered devices. The goal is to coerce the victim by exhaustion to approve them access into the application, thus authenticating the attackers attempt at entering their account.

To mitigate this Visma Authenticator App allows 5 push notifications to be ignored or denied before it suspends more attempts the next 30 minutes.