Security & Troubleshooting

Unexpected OTP Messages

Causes, MFA fatigue attacks, and how to stop them

⚠️

Receiving OTPs but don't use Mideye?

If you are not a Mideye user but receive one-time password messages, the most likely cause is that your phone number was entered by mistake in an organisation's user directory — for example a typo in Active Directory — or that you inherited the number from a previous mobile subscriber who used Mideye.

Contact helpdesk@mideye.com with your phone number in international format (e.g. +46701234567) and we will block OTP delivery to your number.

This page is for Mideye customers and their users. Every Mideye OTP is triggered by an authentication request to a Mideye Server. If you receive one-time passwords you did not expect, something is generating login attempts — either from your own systems or from an external attacker. For more information about how authentication works, see our authentication service overview.

What Are MFA Fatigue and OTP Bombing Attacks?

A growing attack pattern called MFA fatigue (also known as OTP bombing or push fatigue) targets users with a flood of authentication prompts. The attacker already has the user's password — obtained through phishing, credential stuffing, or a data breach — and triggers repeated login attempts to overwhelm the user into approving one by mistake or entering the OTP out of frustration.

Signs of an MFA fatigue attack:

  • A sudden burst of OTPs or push notifications you did not initiate
  • OTPs arriving at unusual hours — late at night or on weekends
  • Multiple OTPs in rapid succession, faster than any normal login flow

What to do immediately: Do not enter the OTP or approve any push notification. Change your password right away and notify your IT administrator. The attacker already has your current password. For password reset workflows that don't require IT intervention, ask your administrator about Assisted Password Reset.

🛡️

Mideye Shield stops MFA fatigue attacks automatically

Mideye Shield detects and blocks credential stuffing, password spray, and MFA fatigue attacks before the OTP is even sent. It works through shared threat intelligence — when an IP address is identified as malicious at one Mideye deployment, it is automatically blocked across all participating servers.

Shield evaluates every authentication request in real-time using risk scoring. Requests from known attack sources are rejected or silently dropped — the user never receives an OTP and the attacker gets no response.

Available in Mideye Server 6.5.12 and later. Learn more about Mideye Shield →

What Are Other Common Causes of Unexpected OTPs?

Not every unexpected OTP is an attack. These are the most common benign causes:

1. Repeated or stuck login requests

The most common reason for a burst of OTPs is a login client or web page that sends multiple authentication requests in quick succession. This can happen when:

  • A VPN client gets into a reconnection loop — for example after a network interruption — and keeps retrying the login automatically.
  • A login page or dialog hangs or becomes unresponsive, and the user (or a keyboard auto-repeat setting) causes the login action to be submitted repeatedly.
  • An unattended workstation sends login requests — something as simple as an object resting on the Enter key over a weekend can generate a large number of OTPs.

What to do: Close or restart the VPN client or browser session that is generating the requests. If you are unsure which application is causing it, try closing all login clients and restarting your computer. If the problem persists, contact your IT administrator to check the login logs.

2. Mobile network re-delivering old messages

Occasional issues in the mobile network can cause an SMS to be delivered more than once, or an old OTP to be re-sent at a later time. This does not have any security implications — Mideye OTPs have a limited lifetime (typically 60 seconds) and cannot be reused.

What to do: You can safely ignore duplicate messages. If it happens frequently, restarting your phone can help clear any cached messages. See also Android ghost SMS-OTPs for a related issue specific to certain Android versions.

3. Android cached flash/pop-up SMS

On certain Android versions, OTPs displayed as flash (pop-up) messages can get cached in the operating system and re-appear later at seemingly random times — sometimes hours or days after the original login.

What to do: See our dedicated guide on Android ghost SMS-OTPs for details and a fix.

Is Receiving Unexpected OTPs a Security Risk?

A single unexpected OTP is usually harmless — it expires in seconds and cannot be reused. However, a stream of unsolicited OTPs is a warning sign that someone may already have your password and is actively attempting to authenticate. If this happens:

  1. Do not enter the OTP or approve any push notification
  2. Change your password immediately
  3. Contact your IT administrator

For administrators: Mideye Shield can detect and block these attack patterns automatically. The shared intelligence network means attacks identified at other deployments are blocked at yours before they even start.

What Else Should You Know About Unexpected OTPs?

How do I know which application is sending the login requests?

Your IT administrator can check the Mideye Server logs to see which service (RADIUS client, web application, etc.) is generating the authentication requests for your account. This usually pinpoints the source quickly.

I receive OTPs at night or over the weekend when I am not working

This could be a VPN client on a powered-on workstation retrying connections in the background — or it could be an attacker probing your account during off-hours. Ask your IT administrator to check the Mideye logs for the source IP and RADIUS client. If the IP is unfamiliar, it may be an attack. Mideye Shield blocks these automatically.

I am not a Mideye user — why am I getting these messages?

If the message does not explicitly say "Mideye", it is not from us. Many authentication services send OTPs by SMS. Check the sender name or short code. If it does say Mideye, your phone number may have been registered by mistake (e.g. inherited from a previous subscriber). Contact helpdesk@mideye.com with your phone number in international format and we will block further delivery.

What is MFA fatigue and how does it work?

MFA fatigue (also called OTP bombing or push fatigue) is a social engineering attack where an attacker who has stolen your password floods you with authentication prompts, hoping you'll approve one by mistake or enter the OTP to make the notifications stop. High-profile breaches at companies like Uber (2022) used this exact technique. Mideye Shield prevents this by blocking the authentication requests at the server level before any OTP is sent.

How does Mideye Shield protect against these attacks?

Mideye Shield evaluates every incoming authentication request against a shared threat intelligence network. IP addresses associated with credential stuffing, brute force, or MFA fatigue attacks are automatically blocked. Because all participating Mideye deployments share intelligence, an attack detected at one customer protects everyone. Static filter rules can also reject requests based on username patterns or source IPs. Learn more →