Multi-Factor Authentication (MFA) is widely recognized as a crucial security measure for businesses. By requiring additional verification beyond a password, MFA helps prevent unauthorized access and protects sensitive corporate data. However, cybercriminals have adapted their tactics, and one of the most effective attack methods they now use is “MFA fatigue” using the well-known strategy of repetition many times, designed to exploit human frailty.
For businesses, failing to address MFA fatigue can lead to serious security breaches, financial losses, and reputational damage. This article explores how MFA fatigue attacks work, why they pose a risk to organizations, and how businesses can strengthen their defences.
What is MFA Fatigue?
MFA fatigue is also known as MFA bombing, occurs when an attacker repeatedly triggers MFA requests. The goal is to frustrate or confuse the victim into approving an authentication request through sheer exhaustion or frustration, granting the attacker access to corporate accounts and systems.
This type of attack is particularly effective against push notification-based MFA, where users receive an "Approve" or "Deny" prompt on their mobile device. If a user is overwhelmed by constant notifications, they may approve the request either accidentally or just to stop the disruption.
This is not as unusual or as unlikely to happen as you may think! Some time ago, the author was repeatedly bombarded with push notifications for an account! This was before I had any real knowledge of how systems worked and the associated dangers. At first, I just thought it was an error, but after two or three repetitions, I realised it was something more malign. In the end the attacker gave up after I rejected several prompts in a row, but it alerted me that someone had somehow got hold of my password, so I changed it immediately. I was fortunate that I was not particularly busy or stressed that day. If I had been, the entire experience could have been overwhelming and could have ended very differently. I didn’t truly understand the significance of what was happening - I just didn’t want anyone taking over my account!
How Attackers Target Businesses Using MFA Fatigue
Step 1. Credential Theft – Attackers first obtain an employee’s password through phishing, data breaches, credential stuffing, or from the Dark Web.
Step 2. Repeated MFA Requests – attacker attempts to log in multiple times, bombarding the employee with MFA approval prompts.
Step 3. Human Error or Social Engineering – The exasperated employee approves a request out of frustration, confusion, or attacker deceitfulness (e.g. pretending to be IT support urging the user to approve it).
It is not just that user who is then compromised. Once inside, the attacker can navigate through the network, steal data, deploy ransomware, or compromise critical business systems.
Then, there will probably also be:
financial losses – attackers may commit fraud, steal intellectual property, or deploy ransomware, leading to costly disruptions.
reputational damage – a security incident caused by MFA fatigue can erode customer trust and damage business relationships.
compliance violations – unauthorized access to sensitive information can result in regulatory fines and legal repercussions.
How Businesses Can Defend Against MFA Fatigue
Now for the good news – you can stop it and indeed prevent it!
1. Implement Stronger MFA Solutions
Push notification-based MFA is vulnerable to fatigue attacks. Instead, businesses should consider:
· Number-matching MFA – Users must enter a specific number shown on the login screen, preventing accidental approvals.
· Phishing-resistant MFA – Methods like FIDO2 security keys and passkeys provide a stronger defence against MFA attacks.
2. Limit MFA Request Attempts
Organizations should set limits on how often an MFA request can be triggered within a short time frame. This prevents attackers from bombarding employees with repeated prompts.
3. Educate Employees on MFA Threats
Security awareness training should emphasize:
· Never approving unexpected MFA requests
· Reporting suspicious authentication attempts to IT security teams
· Recognizing social engineering tactics used alongside MFA fatigue attacks
4. Real-time log monitoring and security alerts
· Track failed MFA attempts and unusual login patterns
· Investigate multiple MFA requests from a single source
· Automate security responses to block suspicious activity
5. Strengthen Access Controls
· Conditional Access Policies – Blocking or challenging logins from unusual locations or unrecognized devices
· Behavioural Analytics – Detecting and alerting IT teams to unusual login patterns revealed by security alerts
Conclusion
MFA is a critical security control, but businesses must be aware of the risks posed by MFA fatigue. Attackers are constantly evolving their tactics, and organizations that rely on traditional MFA methods without additional safeguards may be vulnerable. By implementing stronger authentication methods, training employees, and actively monitoring login activity, businesses can stay ahead of cyber threats and maintain a secure environment.
Useful Links
Regola article on the importance of Employee training:
Regola article on 2fa and why you need it:
Article on MFA fatigue:
Comentários