Key takeaways
MFA fatigue attacks don't break technology; they break people by exploiting trust, distraction, and repetition.
Push-based MFA without safeguards is one of the easiest authentication methods for attackers to abuse.
Real-world breaches at Uber, Cisco, MGM, and others prove MFA fatigue is not theoretical. It's operationally devastating.
Phishing-resistant, passwordless MFA anchored in verified identity is the most reliable way to stop fatigue attacks at the source.
What is an MFA fatigue attack?
An MFA fatigue attack is when attackers repeatedly prompt users for authentication until someone finally approves one, out of frustration, confusion, or simply wanting the notifications to stop.
The reason this works is that the human element of a security system is often the weakest link. Attackers obtain valid credentials, then repeatedly trigger MFA push notifications. Your phone buzzes. Your watch vibrates. Your desktop pings. Each one is asking you to approve or deny.
The goal? Make it so annoying that you'll do anything to make it stop. Buzz after buzz, alert after alert, until someone taps "Approve" just to get back to their day. That one tap is all it takes.
What makes MFA fatigue particularly nasty is how ordinary it feels. Push notifications are built for speed and convenience, not careful consideration. When approval becomes automatic, security fails quietly in the background.
This is why MFA fatigue has become one of the most reliable ways to bypass modern authentication, and why organizations counting on push-only MFA often don't see it coming.
Why MFA fatigue attacks are on the rise
They're extremely easy to implement, cost-effective to scale, and highly effective against how most companies handle authentication today.
Attackers don't need to be elite hackers anymore. Stolen credentials are everywhere, bought and sold daily on underground forums. Once they have a username and password, MFA fatigue becomes a waiting game. Just keep hitting send until the human breaks.
Meanwhile, push-based MFA has taken over in enterprise environments. While it reduced password-only attacks, it also created a new weak point: the approval button. Many organizations rolled out MFA quickly without considering rate limits, user experience, or behavioral protections.
Remote work made things worse. People now authenticate at all hours, from anywhere, on multiple devices. When an MFA prompt hits at 11 PM, you're probably not going to scrutinize it closely.
Attackers noticed. And they adjusted their tactics accordingly.
How attackers execute push-bombing attacks
Attackers typically execute push-bombing attacks by pairing stolen credentials with nonstop authentication requests, as well as some well-timed social engineering.
Most MFA fatigue attacks follow a pretty standard playbook:
Attackers get credentials through phishing, credential stuffing, or third-party breaches.
They fire off repeated login attempts, triggering MFA push notifications constantly, sometimes dozens in just a few minutes.
Timing is strategic: during busy workdays, late at night, or when the user is clearly distracted.
Some attackers take it further by calling or messaging the victim pretending to be IT support, telling them to approve the request "to resolve the issue."
Once they get that approval, they move fast, escalating privileges, establishing persistence, and spreading across systems before security teams catch on.
MFA methods most vulnerable to fatigue attacks
Any method that lets you approve with one tap and no additional context is inherently at risk.
Push-based MFA tops the vulnerability list. Simple "Approve/Deny" prompts train people to respond on autopilot, especially when they're getting hammered with requests.
SMS one-time passwords have their own problems, mainly SIM swapping and phishing. App-based time-based one-time passwords are stronger but can still be phished and replayed.
The most resilient methods are designed to be phishing-resistant. Hardware security keys, passkeys, and identity-bound biometrics require active user presence and cryptographic verification tied to the actual legitimate service. They can't be accidentally approved, and they can't be spammed into submission.
Real-world breaches involving MFA fatigue
Some of the most costly breaches in recent years began with a single exhausted click.
Uber's 2022 breach, for example, kicked off when an attacker bombarded a contractor with MFA prompts, then called pretending to be IT support. Cisco got hit similarly after MFA push abuse combined with voice phishing.
The MGM Resorts attack in 2023 showed just how far this can go. MFA fatigue plus help desk social engineering led to ransomware that shut down hotel operations, slot machines, and booking systems, with losses exceeding $100 million.
These weren't small companies with weak security postures. They were industry leaders. And MFA fatigue was the entry point.
Risks MFA fatigue attacks pose
Once attackers get authenticated access, the damage escalates quickly. Sensitive data gets stolen. Systems get encrypted. Operations shut down.
Beyond the immediate financial hit, organizations face regulatory fines, customer defections, and reputation damage that can take years to recover from. Users experience exposed identities, privacy violations, and long-term fraud risk.
Maybe the most dangerous part? The false confidence. Many victims thought MFA made them safe up to the point that it didn't.
Prevention tactics and security controls
MFA fatigue can be mitigated by removing the conditions that create approval fatigue in the first place.
Strong defenses include:
Rate-limiting authentication attempts to prevent rapid-fire push notifications.
Enforcing number matching instead of simple one-tap approvals, requiring users to enter a code from the login screen.
Locking accounts after multiple denied requests to stop persistent attacks.
Monitoring for abnormal MFA patterns and flagging suspicious behavior for security teams.
Providing additional context in push notifications, including location and application details.
User education helps, but it's not a complete solution. You can't train people to be perfect under pressure, and security controls should assume fatigue will occur and build protections around that reality.
The strongest defense? Eliminate shared secrets. When there's nothing to approve, attackers have nothing to exploit.
Strengthening authentication with phishing-resistant MFA
By moving from assuming identity to verifying identity every single time.
Phishing-resistant MFA uses cryptographic authentication bound to a verified identity rather than reusable credentials. Passkeys, hardware security keys, and biometrically backed digital identities ensure that authentication occurs only when the actual user is present on a legitimate service.
In a Zero Trust model, every access request is continuously evaluated based on identity, device, behavior, and risk level. MFA isn't just a checkbox to tick. It's part of an ongoing trust decision.
This is where modern identity platforms really shine. When identity is verified during onboarding and authentication occurs without passwords, MFA fatigue attacks are ineffective.
There's no prompt to approve, no code to steal, and no human weakness to exploit.
Enter our orbit.
