MFA Fatigue

The Quiet Attack That Exploits User Habit

Multi-factor authentication is one of the most effective ways to protect accounts, but it is not foolproof. MFA fatigue attacks exploit the human side of security by overwhelming users with repeated authentication requests until someone approves one by mistake.

What is MFA fatigue?

MFA fatigue is a social engineering attack in which an attacker floods a user with repeated MFA push notifications. The attacker usually already has the victim’s password and is trying to trick them into approving a login request they did not initiate.

This tactic is also known as push bombing or MFA prompt bombing. Instead of breaking the authentication system directly, the attacker pressures the user into bypassing it.

How the attack works

The attack usually follows a simple pattern:

  • The attacker steals or guesses a valid username and password.
  • They attempt to log in repeatedly, triggering MFA push requests.
  • The victim receives alert after alert on their phone or authenticator app.
  • The victim becomes annoyed, distracted, or confused.
  • One accidental approval gives the attacker access.

The method is effective because people often trust MFA prompts and may assume repeated notifications are a technical glitch or a legitimate login attempt.

Why MFA fatigue succeeds

MFA fatigue works because it targets attention, not technology. Users are trained to respond quickly to login prompts, and repeated notifications can wear down caution over time.

It is especially effective in busy workplaces where employees may be juggling meetings, messages, and other tasks. A prompt that arrives during a stressful moment can feel routine enough to approve without thinking.

Warning signs to watch for

Common indicators of an MFA fatigue attack include:

  • Multiple authentication prompts you did not initiate.
  • A burst of login notifications in a short period.
  • Prompts arriving late at night or at unusual times.
  • Requests that continue even after you deny them.
  • Unfamiliar login activity in account audit logs.

Any unexpected MFA prompt should be treated as suspicious. Repeated prompts are a stronger warning that someone may be actively trying to force access.

How to prevent MFA fatigue

The strongest defense is to reduce dependence on simple push approvals. Security teams should consider several layered controls:

  • Use number matching instead of one-tap approval.
  • Bind authentication to a specific trusted device.
  • Limit how many prompts can be sent in a short time.
  • Apply risk-based authentication for unusual logins.
  • Require stronger methods such as passkeys or hardware keys for sensitive accounts.
  • Train users to report suspicious prompts immediately.

These measures make it much harder for attackers to rely on user frustration or distraction alone.

What users should do

If you receive a login prompt you did not request, deny it immediately. Do not approve it just to stop the notifications.

After that, change your password, review recent account activity, and notify your IT or security team if the account is work-related. If the prompts continue, your account may already be under attack and should be investigated right away.

What organizations should do

Organizations should treat MFA fatigue as both a security and a usability problem. If MFA becomes too noisy, users will eventually make mistakes.

Security teams can improve protection by combining better MFA design with user awareness training, logging, alerting, and conditional access policies. The goal is not just to add authentication, but to make authentication meaningful and hard to manipulate.

Final thoughts

MFA fatigue shows that even strong defenses can fail when attackers exploit human behavior. Repeated prompts may look harmless, but they are often the opening move in a real account takeover attempt.

The answer is not to abandon MFA. It is to make MFA smarter, quieter, and harder to abuse. You can also plan for passkey migration for an even better and robust security.

If you are ready to take your business’s security to the next level, or if you need help implementing MFA or passkey migration, Dual Layer cybersecurity experts are here to help you secure your business and protect what matters most.

Cyber Security
Cloud Computing Services