MFA mitigates which attack that targets many accounts with a few commonly used passwords?

Password spraying targets many accounts by trying a small set of commonly used passwords across them. The goal is to gain access without triggering heavy lockouts on any single account. Multi-factor authentication helps here because even if the password is one of those common ones, the attacker still needs the second factor to log in. That extra factor—like a code from an authenticator app, a hardware token, or a push approval—usually isn’t accessible to the attacker, so the attempt fails. Other attack types involve trying many passwords on one account (brute force), using leaked credentials from breaches across sites (credential stuffing), or convincing users to reveal credentials (phishing), but MFA specifically reduces the success of password spraying by adding a per-user second factor.