Introduction
Multi-factor authentication (MFA) was once hailed as the gold standard for stopping account takeovers. But attackers have adapted. “MFA fatigue” attacks — also known as MFA bombing — exploit human behavior, not technical flaws.
In 2022, Uber’s breach made headlines when an attacker bombarded an employee with repeated MFA prompts until they finally clicked “approve.” Since then, the tactic has become mainstream. Microsoft, Cisco, and identity providers like Okta have all reported cases where MFA fatigue played a role in intrusions.
For CISOs, it’s no longer enough to simply “turn on MFA.” You need a layered defense that addresses technology, process, and people.
Why MFA Fatigue Works
MFA fatigue works because it preys on human psychology and operational weaknesses:
Psychological exploitation: Users are conditioned to approve login prompts quickly, often without double-checking context (NIST Digital Identity Guidelines).
Alert overload: Employees already drown in notifications. A flood of MFA prompts blends in and creates “click fatigue.”
Attack automation: Tools and scripts make it trivial for attackers to fire hundreds of prompts in seconds (Microsoft Security Blog).
Weak fallback: Once inside, attackers often find legacy protocols or OAuth connections without MFA enabled.
👉 Lesson: MFA is strong, but attackers exploit the human layer.
Step-by-Step: Building Resilience Against MFA Fatigue
1. Move Beyond Push-Only MFA
Push notifications are convenient but vulnerable. Better options include:
Number-matching MFA: User must enter a number displayed on the login screen into their authenticator app (Microsoft rollout).
Phishing-resistant MFA: FIDO2 security keys, WebAuthn, or passkeys (endorsed by CISA).
Context-aware prompts: Show login location, IP, device, and time to help users validate legitimacy.
2. Enforce Adaptive Authentication
Not every login should be treated the same. Raise defenses when risk indicators spike:
Impossible travel (e.g., New York then Tokyo in 10 minutes).
New device or location attempting access.
High-value applications like ERP, finance, or SaaS admin consoles.
Adaptive authentication reduces unnecessary MFA prompts while applying scrutiny where it matters most (Gartner Adaptive Access Management).
3. Harden Against Legacy Bypass
Attackers often pivot to weaker routes:
Disable legacy protocols like IMAP, POP3, and basic auth in Microsoft 365.
Require MFA everywhere — VPN, SaaS, cloud portals, and privileged accounts.
Audit OAuth permissions: Attackers exploit overprivileged connected apps to sidestep MFA (Proofpoint).
4. Train Employees for “Push Awareness”
Employees must understand that multiple unexpected MFA prompts = red flag.
Run phishing/MFA fatigue simulations as part of awareness training (KnowBe4).
Reinforce that approving fraudulent prompts is like handing over their ID badge.
Build a culture where reporting suspicious MFA activity is rewarded, not penalized.
5. Monitor and Respond
MFA fatigue leaves a trail. Security teams should:
Look for spikes in failed push approvals.
Flag high-volume attempts outside business hours.
Monitor for logins from anomalous IP addresses tied to MFA spamming.
Automate detection and account lockouts for users targeted with excessive MFA requests (Okta Blog).
Common Pitfalls to Avoid
Believing “MFA = safe” and ignoring bypass vectors.
Relying only on push-based MFA without safeguards like number matching.
Overlooking OAuth abuse pathways.
Neglecting user training, leaving employees vulnerable to pressure tactics.
What CISOs Should Do This Quarter
Deploy phishing-resistant MFA (passkeys, FIDO2 keys) for admins first.
Roll out number-matching MFA across all workforce accounts.
Audit OAuth integrations in Microsoft 365, Google Workspace, and Salesforce.
Disable legacy protocols that still allow password-only logins.
Run a tabletop exercise simulating MFA fatigue to prepare IR teams.
Case Study: Okta Breach Lessons
In 2023, Okta confirmed that threat actors used MFA fatigue to compromise enterprise accounts. Even identity providers aren’t immune.
Companies that layered phishing-resistant MFA, adaptive policies, and employee training were best positioned to resist. The breach underscored the need for CISOs to treat MFA fatigue as a strategic risk, not a one-off incident.
Conclusion
MFA fatigue isn’t a failure of MFA — it’s proof that attackers adapt. For CISOs, the path forward is layered: stronger authentication methods, adaptive risk-based policies, hardened configurations, and user awareness.
With MFA fatigue on the rise, doing the bare minimum is no longer enough. Organizations that evolve faster than attackers will be the ones that stay resilient.
📩 Want more practical CISO guidance?
Subscribe to The CyberSignal Weekly for the latest cybersecurity news and practical CISO guidance each week, or The CyberSignal Daily for daily insights.
❓ FAQ: MFA Fatigue
What is MFA fatigue?
It’s when attackers flood users with MFA prompts until they approve one out of annoyance or confusion.
Is push-based MFA unsafe?
Not inherently — but push fatigue makes it exploitable. Adding number-matching or migrating to passkeys reduces the risk.
How do I know if my org has been targeted?
Watch for spikes in MFA prompts, failed approvals, or suspicious logins from unusual IP addresses.
What’s the best defense?
Phishing-resistant MFA (FIDO2, passkeys) combined with adaptive policies and employee training.
Is SMS MFA safer than push?
No. SMS MFA is vulnerable to SIM swaps and interception. Security keys or passkeys remain the gold standard.