MFA Fatigue Attacks and What to Do About Them
- October 17, 2025
Introduction
MFA (multi-factor authentication) has long been viewed as one of the most effective safeguards against unauthorized access. By requiring users to verify their identities through multiple factors, such as: passwords, authentication apps, or biometrics, MFA significantly reduces the risk of a single compromised credential leading to a full-scale breach. It’s a cornerstone of modern security strategy, relied upon by organizations worldwide to protect critical systems and sensitive data.
But as defenders strengthen their authentication layers, attackers have learned to turn human behavior into their greatest exploit. Enter MFA fatigue attacks; a social engineering technique that targets users, not infrastructure. Instead of breaking encryption or bypassing firewalls, threat actors repeatedly trigger authentication requests, overwhelming users until one mistakenly approves the prompt. It’s persistence over precision, and it’s alarmingly effective.
In 2025, this tactic has gained momentum across industries, fueled by the widespread adoption of MFA and the psychological pressure it can impose on already busy employees. Attackers no longer need advanced malware to compromise networks. What they need is patience and timing.
In this blog, we will dive into how MFA fatigue attacks work, why they’re becoming a preferred method for gaining initial access, and what makes them so successful. More importantly, we’ll be exploring what organizations can do to strengthen their defenses, combining smarter authentication practices, technical safeguards, and user awareness to ensure that MFA remains a line of defense and not a point of failure.
- What Is MFA Fatigue?
MFA fatigue, often called push bombing or prompt spamming, is a form of social engineering that targets the human side of security rather than the technology itself. In practice, an attacker first obtains valid credentials (often via phishing, dark-web leaks, or credential stuffing). Then they flood the user’s authentication device with repeated MFA push requests. The goal isn’t to bypass encryption or exploit code; it’s to exploit human exhaustion.
After receiving dozens or even hundreds of notifications, a frustrated user might eventually tap “approve,” unintentionally granting access to the attacker. The idea is simple: overwhelm the user until one of the requests is approved out of frustration, confusion, or haste.
This tactic has become a preferred method for cybercriminals because it’s simple, scalable, and effective. Unlike sophisticated exploits that require advanced tooling or zero-days, MFA fatigue relies on persistence and psychology. It’s the digital equivalent of knocking on someone’s door until they open it just to make the noise stop. The result: legitimate credentials and legitimate authentication misused through manipulation.
MFA fatigue marks a shift in attacker strategy from deception to disruption. Instead of tricking users into revealing credentials through phishing sites or malicious attachments, threat actors are now weaponizing trust in familiar systems. Because the MFA requests come from real applications, such as: Microsoft Authenticator, Duo, Okta, or Google Prompt, they often appear legitimate, making users second-guess their instincts.
High-profile breaches have exposed how damaging this technique can be. Incidents involving Microsoft, Uber, and Cisco demonstrated how persistent MFA prompts can break even well-trained employees. In the Uber breach attributed to Lapsus$, attackers allegedly spammed an employee with MFA prompts for more than an hour, then followed up via WhatsApp posing as IT staff, ultimately convincing the target to accept the request. On the other hand, Microsoft itself documented the scale of this attack mode. In a recent analysis, more than 382,000 MFA fatigue attempts were recorded over a 12-month period, and 1% of users had reportedly approved the first unexpected prompt they saw. That statistic underscores how small user error can translate into significant access risk when scaled.
By late 2024 and into 2025, security researchers observed a steep rise in MFA fatigue campaigns across industries. The takeaway is clear: MFA remains essential, but as long as humans are part of the equation, fatigue will remain one of the most exploitable and overlooked attack vectors in cybersecurity.
- Why MFA Fatigue Works
It bears repeating that MFA fatigue attacks don’t exploit code, but people. They’re a form of psychological manipulation dressed as a technical process, turning the convenience of modern authentication into a weapon of persistence. Instead of trying to bypass multi-factor authentication, attackers will just simply wait for users to lower their guard.
It begins with stolen credentials. For example: a valid username and password, usually obtained through phishing, credential stuffing, or dark web leaks. With these in hand, the attacker initiates a flurry of MFA requests to the victim’s device. The goal isn’t sophistication; it’s attrition. Each notification, vibration, or pop-up wears down the target’s patience and after dozens or even hundreds of attempts, all it takes is one moment of frustration or distraction for the user to approve the login.
This technique works because it preys on human psychology, not system design. MFA fatigue leverages three key mental triggers:
- Urgency
Repeated notifications create a false sense of importance, making users feel they need to “resolve” the alerts quickly.
- Exhaustion
When MFA requests arrive late at night or during a busy workday, the user’s threshold for rational decision-making drops sharply.
- Distraction
Between constant emails, Slack messages, and video calls, users often respond reflexively, approving prompts without verifying context.
This cognitive overload is amplified in modern remote and hybrid environments. When employees access systems from personal devices, home networks, or while traveling, authentication activity naturally becomes irregular. For example, an MFA request at 2 a.m. might not seem alarming to someone used to flexible hours. Attackers exploit this new normal by blending their activity into the noise of legitimate, round-the-clock work.
What makes MFA fatigue so effective is that it turns trust against itself. Users have been trained to see MFA as a protective barrier, not a potential threat vector. When that barrier becomes the attack channel, confusion and complacency fill the gap.
Ultimately, MFA fatigue highlights a painful truth: technical controls are only as strong as the humans interacting with them. Even the most secure systems can crumble under social engineering pressure if users aren’t conditioned to recognize the manipulation behind the pings. Bridging the gaps between authentication and awareness and between access and intent should be one of cybersecurity’s most urgent challenges.
- Real-World Examples of MFA Fatigue Attacks
The rise of MFA fatigue attacks is a proven, repeatable technique that has powered some of the most publicized breaches in recent years. Threat groups like Lapsus$, Scattered Spider, and other sophisticated social engineering collectives have shown how easily persistence and psychology can defeat even advanced defenses.
Not even three years ago, in 2022, Lapsus$ made headlines by breaching several global tech companies, including Microsoft and Okta, through relentless MFA push notifications. Their method was deceptively simple: after stealing valid credentials through dark web marketplaces, they bombarded employees with approval requests. At that time, it was reported by Dark Reading that “after the contractor initially blocked those requests, the attacker contacted the target on WhatsApp posing as tech support, telling the person to accept the MFA prompt — thus allowing the attacker to log in.” Once the exhausted or distracted user finally accepted the prompt, the attackers gained full access to internal systems. No malware or zero-day exploit was required.
Similarly, Scattered Spider, known for its attacks on telecom and hospitality sectors, has refined MFA fatigue as part of broader social engineering campaigns. These groups often combine voice phishing (vishing) with push notification abuse, calling victims while impersonating IT staff to pressure them into approving MFA prompts “for verification.” It’s a powerful one-two punch that merges deception with disruption.
Across these incidents, the pattern is strikingly consistent:
- Attackers obtain valid credentials through phishing or credential theft.
- They initiate a barrage of MFA prompts, often outside business hours.
- When victims approve one, often out of annoyance, attackers pivot quickly to escalate privileges, exfiltrate data, or deploy ransomware.
The lesson is clear: even strong authentication can crumble without behavioral resilience. These breaches underscore that security awareness and adaptive MFA controls are just as critical as the technology itself. Organizations must rethink MFA not as a set-and-forget solution, but as a dynamic process that anticipates and neutralizes human fatigue.
- Mitigation: How to Defend Against MFA Fatigue
Defending against MFA fatigue attacks requires a layered approach that blends smarter authentication technology, stronger user awareness, and tighter monitoring. Since these attacks exploit human behavior rather than software flaws, mitigation must focus on reducing friction without creating new points of fatigue or confusion.
As explained in a Medium article regarding strategies against MFA fatigue attacks, they concurred that the best defense is a layered one, and also named some approaches and tactics that strengthen MFA against modern threats, including: “using phishing-resistant MFA; limiting push frequency and introducing lockouts; closing loopholes and improving access controls; monitoring and responding proactively, and finally, focusing on user awareness and education.”
One of the most effective defenses is number matching, now supported by most major MFA providers. Instead of simply approving a push notification, users must enter a code displayed on their login screen. This extra verification step stops attackers from gaining access even if a user accidentally taps “approve.” Similarly, context-aware MFA, which includes details like the device name, location, and time of access, helps users quickly spot suspicious activity and make informed choices.
Beyond these front-line defenses, organizations should adopt adaptive authentication and risk-based MFA policies. These systems analyze factors such as IP reputation, device health, and user behavior to decide when additional verification is truly necessary. For instance, If an employee logs in from a trusted device or network, MFA prompts can be minimized, but if the system detects unusual activity, it can escalate security requirements instantly. This balance maintains security while reducing fatigue.
To future-proof their defenses, organizations should migrate toward phishing-resistant MFA methods like FIDO2, hardware tokens, or passkeys. These standards eliminate the risk of credential replay or push notification abuse by tying authentication directly to a physical device or biometric factor. Equally important is user education. Employees should understand the principle of prompt hygiene: never approving MFA requests they didn’t initiate and reporting unexpected notifications immediately. Training should emphasize that fatigue attacks are deliberate manipulation attempts and not random system errors.
Finally, MFA systems should be tightly integrated into Security Operations Center (SOC) workflows. Suspicious authentication activity, such as repeated failed pushes or logins from unknown devices, should trigger alerts, allowing analysts to investigate and respond before compromise occurs.
In the end, defending against MFA fatigue is all about building resilience. By combining smarter authentication methods, informed users, and responsive detection, organizations can turn one of today’s most common weaknesses into a renewed layer of strength.
- Building a Human-Aware Security Culture
While technology plays a vital role in preventing MFA fatigue attacks, the strongest defense often comes from people. Attackers exploit moments of frustration, distraction, and misplaced trust, which are all human factors that can’t be patched with software. That’s why fostering a human-aware security culture is essential to long-term resilience.
A strong security culture begins with continuous education. Organizations should move beyond one-time training sessions and implement regular, scenario-based exercises that simulate real MFA fatigue attempts. When users experience firsthand how these attacks unfold: repeated prompts, urgent messages, or spoofed IT requests, they’re far more likely to recognize and resist them in real situations.
Creating a culture of open communication between IT teams and end users is also equally important. Employees should feel comfortable reporting unusual MFA activity without fear of reprimand or ridicule. Every suspicious push or login attempt that’s reported can provide valuable intelligence to the SOC and help strengthen organizational defenses.
Leadership should champion this mindset as well. Starting from the top down, reinforcing that cybersecurity isn’t just an IT responsibility, but a shared effort across departments. Celebrating good security behavior, sharing anonymized examples of prevented attacks, and offering quick feedback loops all contribute to awareness and accountability.
Ultimately, building a human-aware security culture means empowering users to become active participants in defense, instead of passive targets. Technology can filter threats, but only people can recognize when something feels “off.” Bridging that gap between human intuition and technical controls is where true cyber resilience begins.
- Conclusion: Smarter MFA for a More Resilient Future
MFA fatigue attacks have become one of the defining threats of the modern authentication era. Not because MFA has failed, but because attackers have evolved to exploit its weakest link: human behavior. By overwhelming users with repeated prompts or cleverly disguised notifications, threat actors can turn even the most secure systems into gateways for compromise.
Despite this evolution, MFA remains a cornerstone of strong cybersecurity. The issue isn’t the tool itself but how it’s implemented and managed. Organizations must adapt their authentication strategies to account for attacker persistence and human fatigue, pairing technical measures like number matching, passkeys, and risk-based authentication with proactive awareness training and cultural change.
Building a resilient defense against MFA fatigue isn’t just about adding more layers; it’s about making every layer smarter. When teams understand how these attacks unfold and systems are configured to respond intelligently, the odds shift dramatically in favor of the defender.
In a world where attackers don’t rest, defense can’t rely on automation alone. The key to staying ahead is preparation, awareness, and smart testing, because the strongest security posture is the one that never stops learning.
SOURCES:
https://www.wired.com/story/uber-hack-mfa-phishing/
