Because many users are so familiar with the process of accepting a push request, MFA fatigue might lead them to absent-mindedly or accidentally hit the “accept” button, even if it’s not them. From there, the attacker has the freedom to roam a company’s internal resources.

As people and organizations find new and exciting ways to transform digitally, we also see bad actors find new and creative ways to gain fraudulent access. While security teams work to stay vigilant and put defenses in place, it can be difficult to keep up with the evolving threats. One of these threats that has gained attention includes circumventing an organization’s multi-factor authentication (MFA) protection.

MFA fatigue, or when an attacker gets an authentic user to accept a request when that user is not trying to login, is one attack method that has made headlines. When it comes to MFA fatigue, it’s important to know what to expect and how to arm your organization with the tools to combat it.

What is MFA fatigue?

If an adversary has stolen a valid username and password, each time that adversary attempts to login, the owner of those credentials gets an MFA request (“is this you trying to sign-in?”). Most users will ignore or deny an MFA request if they are not trying to sign-in.

However, because many users are so familiar with the process of accepting a push request, MFA fatigue might lead them to absent-mindedly or accidentally hit the “accept” button, even if it’s not them. From there, the attacker has the freedom to roam a company’s internal resources.

Additionally, there are some MFA attacks that can be even more burdensome to the end user. In a push phishing attack (also known as push bombing, push harassment, or MFA fatigue attack), the attacker sends MFA requests repeatedly until the authentic user caves and accepts the request to stop receiving the push notifications.

Are MFA fatigue attacks a good thing?

It is counterintuitive to think about any kind of attack in a positive light. It can be even harder to see the silver lining on attacks that play on MFA, as it has been a reliable tool against identity-based attacks in the past. But what it does show is a sign of maturity and that we have reached a level with MFA where adversaries are incentivized to work around this control.

Before, if an attacker had a stolen username and password, that was all they needed to gain access. Strong MFA forces them to develop new methods to get around this defense. So now it’s time to respond. Cybersecurity has always been a back and forth between tactics and responses. And organizations need new responses to protect themselves.

How we can fix it

There’s not one silver bullet that can stop all types of attacks, but there are best practices that organizations can follow to improve their security posture.


FIDO2 compliant authentication, through solutions like passwordless authentication or security keys, use public-key cryptography to make the login credentials unique on every website. Essentially, an attacker is unable to use the typical MFA attack methods because the FIDO2 key is physically with the trusted user in the device, in the form of a biometric or security key.

FIDO2 offers the strongest defense against these new types of attacks, but also presents challenges for organizations if they do not have devices with biometrics or the means to ship security keys to all end users. Therefore, for organizations that need an alternative solution today, we recommend moving towards a risk-based approach.

Risk-based authentication

The goal of Risk-Based Authentication is to dynamically detect threat signals and adjust security requirements accordingly. There are two key benefits of using a risk-based solution:

  • Remove Unnecessary Friction: In a trusted scenario, Risk-Based Authentication can reduce the number of times a user is asked to re-authenticate. Using Risk-Based Remembered Devices gives users the option to remember their login on a device. This allows users to only be prompted when the policy expires, or when there is a new login attempt. By reducing the number of MFA requests, user fatigue can also decrease, causing users to pay more attention to each individual authentication request.

  • Step Up Security: Risk-Based Authentication can remove friction when a situation is trusted and increase that friction when there are new risk signals in the environment. Evaluating the device, location, network, and data from attack patterns enables the use of Risk-Based Factor Selection to step up to a more secure method, like requiring the user to enter a 3 to 6 digit code (rather than simply hit the green “approve” button) to stop an MFA fatigue attack, but not block legitimate users.  

Device trust

In addition to improving MFA security, it is important to know what devices are managed and can gain access to internal applications or sensitive data. Therefore, even if an attacker has compromised credentials and gets a trusted user to accept a fraudulent MFA request, the attacker would not be able to proceed because they are not using a compliant or managed device. Administrators using Trusted Endpoints can easily set policies to block access from these unmanaged devices.

Ultimately, we want organizations to have the tools they need to set up the best defenses to protect their users and data from bad actors.

This article was first published at: