Multi-factor authentication (MFA) was supposed to be the silver bullet. By requiring a second step—typically a push notification or a one-time code—organizations could drastically reduce the risk of unauthorized access.
But attackers adapt. Enter MFA fatigue, a tactic designed to exploit human behavior and slip past even well-implemented MFA defenses.
What Is MFA Fatigue?
Imagine it’s 2 AM. You’re fast asleep when your phone vibrates with an authentication request. Groggy, you ignore it and roll over. Five minutes later, another notification. Then another.
Half-awake, you see multiple MFA prompts stacking up. You have three choices:
- Ignore it and try to get back to sleep, hoping the buzzing stops.
- Report it to your security team—if they’re even awake.
- Tap “Approve” just to silence the endless notifications.
Most people just want to go back to sleep. Attackers count on that. By relentlessly spamming authentication requests, they create MFA fatigue, wearing down victims until someone finally approves a login attempt.
Why MFA Fatigue Works
Traditional phishing attacks trick users into handing over credentials. MFA was designed to stop that—requiring a second, user-verified step.
But MFA fatigue attacks flip the script. Instead of stealing something, they pressure users into surrendering access themselves.
- Persistence: Attackers trigger dozens (or hundreds) of push notifications. The annoyance mounts.
- Timing: They often target off-hours—late at night or on weekends—when people are least vigilant.
- Social engineering follow-ups: If repeated pushes don’t work, attackers may impersonate IT support via text or call, claiming, “You need to approve that request to resolve a system issue.”
Eventually, someone caves. All it takes is one tap.
Real-World Examples of MFA Fatigue Attacks
MFA fatigue isn’t theoretical. In the last few years, it’s enabled breaches of some of the world’s most recognized brands.
Uber (September 2022)
- Who: Lapsus$ hacking group
- What happened: After compromising an external contractor’s credentials, Lapsus$ unleashed a storm of MFA push notifications. When the contractor hesitated, they received a WhatsApp message from someone posing as Uber IT, urging them to approve.
- Impact: Gained access to Uber’s internal Slack, cloud environments, and admin tools.
Cisco (May 2022)
- What happened: Attackers combined voice phishing with repeated MFA prompts on personal Google accounts tied to Cisco’s VPN. One employee eventually approved, granting attackers internal network access.
- Impact: Enabled lateral movement inside Cisco’s systems.
Robinhood (2022)
- What happened: Credential stuffing attacks led to user account takeovers. Attackers then bombarded accounts with MFA prompts. Frustrated, some users approved to stop the deluge.
- Impact: Allowed unauthorized trades and attempts to withdraw funds.
Okta (January 2022)
- Who: Lapsus$ again
- What happened: Targeted a third-party support engineer. Repeated MFA prompts eventually wore down the engineer, who approved access.
- Impact: Provided attackers a foothold into Okta’s infrastructure.
Microsoft (March 2022)
- What happened: Part of a broader campaign, suspected MFA fatigue tactics helped compromise Microsoft credentials.
- Impact: Attackers accessed internal repositories, obtaining source code for Bing, Cortana, and more.
Other Corporate Targets
Companies like Twitter, Samsung, and countless Office 365 tenants have reported MFA fatigue campaigns, often tied to sophisticated groups such as Midnight Blizzard (aka APT29).
Combating MFA Fatigue
So how do you defend against an attack that relies on human psychology and relentless notifications?
1. Use Phishing-Resistant MFA
Push-based MFA is convenient—but also the primary target for fatigue attacks. Consider stronger alternatives:
- FIDO2 hardware keys (YubiKeys, Titan Keys): Physical devices that must be present to authenticate.
- Certificate-based authentication: Tied to specific devices, reducing prompt frequency.
- Number matching (e.g., Microsoft Authenticator): Requires entering a code displayed on the login screen, preventing blind approvals.
2. Implement Adaptive Controls
- Geo & time-based policies: Block or challenge unexpected login attempts, especially from unusual locations or at odd hours.
- Rate limiting: Automatically slow or block repeated MFA attempts to reduce spamming.
3. Train for the Specific Threat
Most awareness training still focuses on phishing emails. Organizations need to educate users explicitly about MFA fatigue:
- Explain how repeated prompts are a tactic, not just a glitch.
- Encourage them to reject and report unusual requests—especially late at night.
- Normalize suspicion. It’s better to over-report than to blindly approve.
4. Build an Always-On Security Channel
Make it easy for employees to flag suspicious activity. A quick Slack message or hotline can stop an attack before it succeeds.
Security teams concerned about “alert fatigue” can deploy triage systems or automated workflows to sort real threats from noise.
Final Thoughts
MFA remains one of the most effective security controls available—but it’s not foolproof. MFA fatigue demonstrates how even robust systems can be undermined by exploiting human tendencies.
The answer isn’t to abandon MFA. It’s to evolve—by layering on phishing-resistant options, adapting policies, and preparing people for the specific psychological tactics attackers now use.
