What is the difference between MFA fatigue and credential stuffing?

MFA fatigue attacks target the user after valid credentials are already in hand, using repeated prompts or urgency to force approval. Credential stuffing uses leaked username and password pairs to try logins at scale. Both abuse identity trust, but MFA fatigue specifically tries to turn a legitimate approval flow into an access path.

Why This Matters for Security Teams

mfa fatigue and credential stuffing are both identity abuse techniques, but they sit at different points in the attack chain. Credential stuffing is opportunistic and scalable: attackers reuse leaked username and password pairs until they find accounts that still accept them. MFA fatigue is more targeted and social, using repeated prompts, push spam, or urgency to trick a real user into approving access after the password step has already succeeded.

The practical risk is that teams often treat both as “MFA problems” and miss the different controls needed to stop them. Credential stuffing is best reduced with strong password hygiene, rate limiting, bot detection, and phishing-resistant MFA. MFA fatigue requires prompt-number matching, number challenge, device-bound approvals, and rapid anomaly detection on repeated push attempts. The distinction matters because one attack abuses password reuse at scale, while the other tries to convert a legitimate approval channel into a bypass.

That difference also matters in identity governance. NIST SP 800-63 Digital Identity Guidelines emphasize stronger authenticators and better authentication assurance, while the OWASP Non-Human Identity Top 10 shows how reuse, weak secrets, and poor lifecycle controls create similar abuse paths for machine identities. In practice, many security teams discover MFA fatigue only after an approval has already been granted, rather than through intentional testing of the control path.

How It Works in Practice

Credential stuffing depends on breached credential sets, password reuse, and automation. Attackers test large volumes of username and password combinations against login portals, APIs, and SSO entry points, then keep the accounts that still authenticate. The main defense is to reduce the value of stolen passwords and make automated reuse expensive. That means enforcing unique passwords, blocking known compromised credentials, adding bot controls, and prioritising phishing-resistant authentication methods where possible.

MFA fatigue is different because the password is often already valid. The attacker’s goal is to create decision fatigue, confusion, or urgency until the user approves a prompt they would normally reject. That means the control surface is the user’s approval workflow, not the password database. Current guidance suggests using push approvals with number matching, context-rich prompts, device binding, session risk checks, and alerting on repeated failures or unusual geolocation patterns. The NIST SP 800-63 Digital Identity Guidelines are a useful baseline when choosing authenticators and assessing assurance strength.

For credential exposure patterns, NHIs are often the hidden bridge. The Guide to the Secret Sprawl Challenge and Cisco Active Directory credentials breach illustrate how leaked secrets can be reused for automated access attempts long before a human notices. Even when the original target is a person, once credentials are harvested they often become a launchpad across human and non-human accounts. These controls tend to break down in environments with shared accounts, legacy VPNs, or push-only MFA deployments because the approval channel becomes too easy to exhaust or impersonate.

Common Variations and Edge Cases

Tighter authentication often increases friction, so organisations must balance user convenience against attack resistance. That tradeoff is especially visible when a team tries to stop both attacks with one control and ends up weakening both. For example, repeated prompts may frustrate users into approval blindness, while over-aggressive login throttling can create denial-of-service risk for legitimate users.

There is no universal standard for handling every edge case, but current guidance suggests treating phishing-resistant MFA as the default for high-risk access and limiting push approvals to lower-risk workflows with strong compensating controls. Shared devices, help desk resets, and break-glass accounts deserve special handling because they can reintroduce the very trust assumptions that MFA fatigue exploits. Credential stuffing also behaves differently in consumer versus enterprise settings: consumer services usually face broader bot pressure, while enterprise apps often see fewer but more valuable attempts against SSO, legacy portals, and password reset flows.

The Ultimate Guide to NHIs — Static vs Dynamic Secrets is useful here because it shows why static credentials age badly under repeated attack, and the 230M AWS environment compromise demonstrates how exposed secrets can turn into broad access very quickly. In short, credential stuffing is a password-reuse problem, while MFA fatigue is an approval-abuse problem, and mature programs need different detections for each.

Related resources from NHI Mgmt Group

• What is the difference between prompt injection risk and identity abuse in agents?
• What is the difference between SAST and DAST for security teams?
• What is the difference between credential stuffing and brute force attacks?
• What is the difference between phishing and credential stuffing from an IAM perspective?