Multi-factor authentication is one of the strongest defenses a business can deploy, but attackers have found a way around it. In an MFA fatigue attack, a criminal who already has a stolen username and password triggers dozens of push notifications to the employee's phone. The requests arrive at all hours, sometimes at two in the morning, sometimes in rapid bursts during a busy workday. The attacker is betting that the employee will eventually tap "Approve" just to make the notifications stop. This exact technique was used in the high-profile Uber breach and has since become a standard play in the attacker's handbook.
The fix is straightforward but requires action. First, switch from simple push-to-approve MFA to number-matching MFA, where the employee must type a code displayed on the login screen into their phone. This eliminates blind approvals entirely. Better yet, move to phishing-resistant methods like FIDO2 hardware security keys, which cannot be fooled by push spam or social engineering. Second, configure your identity provider to flag and lock accounts that receive more than three failed MFA attempts in a short window. Finally, train your team that an unexpected MFA prompt they did not initiate is not an annoyance but an active attack in progress. They should deny the request and report it immediately. If your MFA setup still relies on simple push approvals, reach out to us for a security review before an attacker tests your team's patience.