A condition where repeated mobile approval prompts train users to approve authentication requests without careful review. Attackers exploit the fatigue to turn a human decision into an accidental bypass, especially after they already know the password.
Expanded Definition
Push fatigue is the loss of scrutiny that happens when users receive repeated mobile approval prompts until approval becomes automatic. In identity security, that matters because a push prompt is not just a notification; it is a decision point that can either stop or enable access. The risk increases when attackers already have the password and are trying to convert a second factor into a human error. Guidance varies across vendors on whether this should be treated as a user-awareness problem, an authentication design problem, or both, but the operational effect is the same: repeated prompts can wear down attention and create an accidental bypass. NHI Management Group treats push fatigue as a governance signal that MFA design, session policy, and authentication telemetry are not aligned with the actual attack path. Standards such as the NIST Cybersecurity Framework 2.0 emphasise protective controls and detection outcomes, which makes prompt discipline part of broader identity resilience. The most common misapplication is assuming every approval is a deliberate user choice, which occurs when repeated prompts are sent without rate limits, fraud detection, or number-matching controls.
Examples and Use Cases
Implementing push-based MFA rigorously often introduces friction for legitimate users, requiring organisations to weigh faster access against the cost of prompt hardening and monitoring.
- An attacker obtains a password through phishing and then sends a burst of approval requests until the target approves one out of habit.
- A contractor receives frequent prompts during a noisy workday and approves without checking location, device context, or transaction details.
- A remote workforce uses a mobile authenticator that lacks number matching, making repeated prompts easier to exploit after credential theft.
- Security teams correlate suspicious approval bursts with broader identity patterns described in the Ultimate Guide to NHIs to understand how account compromise can cascade into NHI abuse.
- Zero Trust programs compare prompt frequency with risk signals from NIST Cybersecurity Framework 2.0 categories to decide when to step up authentication or block access.
Push fatigue also appears when help desks repeatedly re-enrol users after device changes, because the extra prompts train people to treat authentication as background noise rather than a meaningful control.
Why It Matters in NHI Security
Push fatigue matters in NHI security because the same behavioural weakness can be chained with compromised passwords, over-permissive service access, and weak escalation paths. Once a user approves the wrong request, attackers often inherit access that reaches beyond the human account into connected systems, shared workspaces, and delegated automation. This is especially dangerous in environments where identity controls are already under strain: NHI Management Group reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and 90% of IT leaders say properly managing NHIs is essential for successful zero-trust implementation in the Ultimate Guide to NHIs. That context shows why a weak human approval path can become the entry point to a much larger identity failure. The control lesson is to reduce prompt volume, add context-aware verification, and treat repeated approvals as a detection event, not routine behaviour. Organisations typically encounter the impact only after an account takeover or lateral movement incident, at which point push fatigue becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agentic and interactive auth flows must resist prompt abuse and unsafe user-decision patterns. | |
| NIST CSF 2.0 | PR.AA-1 | Identity proofing and authentication should support resilient, context-aware access decisions. |
| NIST Zero Trust (SP 800-207) | DP-3 | Zero Trust assumes each access request must be continuously evaluated, not blindly approved. |
Limit repeated approval prompts and add contextual challenge logic to prevent accidental bypass.
Related resources from NHI Mgmt Group
- How can organisations reduce alert fatigue from cloud security tools?
- How should security teams reduce access review fatigue without weakening governance?
- How should security teams reduce the risk of MFA fatigue attacks?
- What is the difference between push-based MFA and phishing-resistant authentication?
