Multi-factor authentication has become a cornerstone of modern cybersecurity. By requiring a second form of verification beyond just a password, MFA makes it significantly harder for attackers to access accounts – even if they’ve stolen login credentials.
But cyber criminals are nothing if not adaptable. When one door closes, they look for windows. And with MFA fatigue attacks, they’ve found a way to turn this security measure into a weapon.
What Is MFA Fatigue?
MFA fatigue – also known as MFA bombing or push notification spam – is a social engineering technique that exploits the human element of multi-factor authentication.
Here’s how it works: An attacker obtains a user’s login credentials, typically through phishing, data breaches, or credential stuffing attacks. When they attempt to log in, the legitimate user receives a push notification asking them to approve the access request.
Rather than giving up, the attacker repeatedly attempts to log in, bombarding the user with notification after notification. Eventually, worn down by the constant alerts – often late at night or early in the morning – the victim approves a request just to make the notifications stop.
And just like that, the attacker is in.
Why It Works
MFA fatigue exploits fundamental aspects of human psychology.
Notification overload: We’re all conditioned to dismiss notifications quickly. When your phone buzzes constantly, the instinct is to make it stop – not to carefully evaluate each alert.
Confusion: Receiving multiple unexpected MFA requests can be disorienting. Users might assume there’s a technical glitch, that the system is malfunctioning, or that they accidentally triggered the requests themselves.
Timing: Attackers often launch these attacks outside business hours, when victims are tired, distracted, or simply want to go back to sleep. Decision-making at 3am is rarely at its sharpest.
Pressure: The constant stream of notifications creates a sense of urgency. Users want the problem to go away, and approving the request seems like the quickest solution.
Plausible deniability: Unlike clicking a phishing link, approving an MFA request feels like a minor action. Users might not even realise they’ve done anything wrong until it’s too late.
Real-World Attacks
MFA fatigue isn’t just theoretical – it’s been used in major breaches.
In 2022, a high-profile attack on a major technology company reportedly succeeded when a contractor approved an MFA request after being bombarded with notifications. The attackers then used that access to move through the company’s systems.
Similar techniques have been used against organisations across various industries, from technology firms to financial services. The pattern is consistent: obtain credentials, spam notifications, wait for human error.
The Limitations of Push-Based MFA
It’s worth noting that MFA fatigue attacks primarily target push notification-based authentication – the “approve this login” alerts sent to smartphone apps.
This isn’t to say push-based MFA is bad. It’s still far more secure than passwords alone, and it remains effective against the majority of attacks. But it does have a weakness: it relies on users making correct decisions under pressure.
Other forms of MFA – such as hardware security keys or time-based one-time passwords – are less vulnerable to fatigue attacks because they require active input rather than simple approval. However, they also tend to be less convenient, which affects adoption rates.
Protecting Your Business
Defending against MFA fatigue requires a combination of technical controls and user awareness.
Educate your team: Staff need to understand that unexpected MFA requests should never be approved. If you didn’t just try to log in, that notification isn’t legitimate – it means someone else has your password.
Implement number matching: Many MFA solutions now offer number matching, where users must enter a specific code displayed on the login screen rather than simply tapping “approve.” This prevents blind approval of notifications.
Set notification limits: Some platforms allow you to limit the number of MFA requests that can be sent within a timeframe, making fatigue attacks less effective.
Enable reporting: Give users a clear way to report suspicious MFA requests. This should trigger an immediate password reset and investigation.
Consider phishing-resistant MFA: For high-risk accounts, hardware security keys or passkeys offer stronger protection against both phishing and fatigue attacks.
Monitor for unusual patterns: Repeated failed login attempts followed by successful authentication should raise red flags. Ensure your security monitoring captures these patterns.
MFA Is Still Essential
None of this should discourage you from using multi-factor authentication. MFA remains one of the most effective security measures available, blocking the vast majority of account compromise attempts.
The message isn’t that MFA is broken – it’s that attackers adapt, and so must we. Understanding how MFA fatigue works allows you to implement the right controls and train your team to recognise the warning signs.
Security is never a set-and-forget proposition. It’s an ongoing process of staying aware, staying updated, and staying one step ahead.
Ready to strengthen your organisation’s authentication security? Provident IT Solutions can help you implement robust MFA solutions and train your team to recognise social engineering attacks. Contact us to discuss your security needs.
