MFA Fatigue

MFA fatigue exploits the human at the end of a push notification. The attacker already holds valid credentials, often from a phishing or credential-stuffing campaign, and triggers login attempts that generate a stream of approval prompts on the victim’s device. The goal is to wear the user down until they tap approve.

The attack works specifically against simple push-to-approve factors, where approval is a single tap with no context. It does not defeat factors that require the user to enter a code shown on the login screen, or phishing-resistant methods that bind authentication to the legitimate site.

Defenses include number matching, which forces the user to type a code displayed by the requesting application, rate limiting on prompts, and showing context such as location and application name. The durable fix is moving to phishing-resistant authentication such as passkeys.

For CIAM, MFA fatigue is a reminder that adding a second factor is not enough on its own. The choice of factor and the design of the approval step determine whether the second factor actually resists a determined attacker.

Sources

• CISA, Implementing Phishing-Resistant MFA: https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf