How MFA Fatigue Works
Push notification-based multi-factor authentication presents an approval request on a user's registered device when a login attempt occurs. The security assumption is that the user will only approve requests they initiated. MFA fatigue exploits a gap in that assumption: if an attacker possesses valid credentials and bombards the user with push notifications, particularly at times when the user is distracted or attempting to dismiss a persistent interruption, the probability of an accidental or frustrated approval increases substantially.
Documented attack campaigns have sent 50 or more push notifications to a single target within minutes. Some attackers send notifications in the middle of the night when users are half-awake. Others contact targets via phone, impersonating IT support, and instruct them to approve a notification that is about to arrive. The social engineering component transforms a brute-force annoying attack into a targeted, high-probability compromise technique.
Why Traditional MFA Remains Valuable Despite This
The existence of MFA fatigue attacks does not make MFA pointless. Organizations without MFA are significantly easier to compromise. MFA fatigue requires the attacker to have already obtained valid credentials, which is a meaningful barrier. The attack is also resource-intensive compared to simply exploiting organizations with no MFA at all.
The conclusion is not to abandon MFA. It is to implement MFA in ways that are resistant to fatigue attacks.
Controls That Actually Defeat MFA Fatigue
Number Matching
Number matching requires the user to enter a number displayed on the login screen into their authenticator app before approving. This eliminates the possibility of approving a request without knowing what system is being accessed, making fatigue-based approval nearly impossible because the user must actively confirm a specific code rather than simply tapping approve.
Additional Context in Push Notifications
Modern authenticator implementations can display the location, IP address, and application associated with a login attempt in the push notification itself. A user who receives a push notification showing a login attempt from a location they do not recognize is far more likely to deny it than one receiving an ambiguous generic approval request.
Phishing-Resistant MFA Methods
FIDO2 hardware security keys and passkeys are resistant to both phishing and fatigue attacks because the authentication is cryptographically bound to the specific application and device. These methods are the gold standard where implementation is feasible, particularly for privileged accounts and high-risk users.
Anomaly Detection and Rate Limiting
Identity platforms should be configured to detect and block excessive failed MFA attempts, flag geographically impossible login sequences, and trigger alerts when authentication patterns deviate from established baselines for a given user. These controls do not prevent a determined attacker but significantly increase the likelihood of detection before a successful compromise.
Privileged accounts, executives, and IT administrators should be prioritized for phishing-resistant MFA. These accounts are the highest-value targets and the most likely to be specifically targeted in MFA fatigue campaigns.
What to Do Right Now
- Enable number matching in your Microsoft Authenticator or equivalent push MFA platform
- Configure additional context display in push notifications
- Review rate limiting and anomaly detection settings in your identity provider
- Inventory which accounts use SMS or voice-based MFA and migrate them to authenticator apps
- Identify your highest-risk users and implement phishing-resistant methods for those accounts