Subscribe to the Non-Human & AI Identity Journal

Push Fatigue Attack

A push fatigue attack is a social engineering technique that overloads a user with repeated authentication prompts until one is approved. The attack abuses human response patterns rather than breaking the authentication system, which makes the approval event itself the weak point in the access decision.

Expanded Definition

push fatigue attack is a prompt-bombing social engineering pattern that targets the authentication approval step rather than the credential itself. In practice, an attacker repeatedly sends MFA notifications until the user accepts one out of annoyance, haste, confusion, or a mistaken belief that the request is legitimate. The term is used most often in environments that rely on push-based MFA for human access, but the underlying risk also matters for admin consoles, cloud control planes, and other high-impact access paths where one approval can unlock broad privileges.

Definitions vary across vendors, but the security issue is consistent: the attacker is exploiting notification overload and user habituation. It is closely related to MFA bombing, yet the operational focus is on manipulating the person receiving the prompt, not breaking the second factor. For a broader NHI governance context, this sits alongside the approval and entitlement weaknesses highlighted in the OWASP NHI Top 10 and the control gaps discussed in the Ultimate Guide to NHIs. The most common misapplication is treating every unexpected push approval as a simple user mistake, which occurs when monitoring lacks context around repeated prompt bursts, geolocation anomalies, and privileged sign-in timing.

Examples and Use Cases

Implementing resistance to push fatigue often introduces a tradeoff between user convenience and stronger sign-in friction, requiring organisations to balance fast access against prompt suppression, number matching, or step-up verification. Standards such as NIST SP 800-53 Rev 5 Security and Privacy Controls support that balance by framing authentication as a control objective, not a single product feature. NHIMG research also shows why this matters: the Ultimate Guide to NHIs – Why NHI Security Matters Now reports that 80% of identity breaches involved compromised non-human identities, which makes any weak approval workflow strategically important.

  • An employee receives a stream of MFA pushes after an attacker already has a password from a phishing kit, and one accidental tap grants access to email and cloud apps.
  • A help desk technician approves a prompt while multitasking, allowing an intruder to pivot into an admin portal and create persistent access.
  • A contractor ignores repeated prompts until a “deny all” policy or alerting system flags the event, showing how defensive tooling can interrupt the fatigue loop.
  • An organisation replaces raw push approval with number matching or phishing-resistant authentication after repeated prompt bombing attempts against remote staff.
  • Security teams correlate prompt volume with login geography and device health to identify push fatigue behavior before a successful session is established, using intelligence patterns similar to those described in the CISA cyber threat advisories.

Why It Matters in NHI Security

Push fatigue attack is not only a human-factor problem. It exposes a broader identity control weakness: the system trusts a momentary approval too much. In NHI-heavy environments, that weakness matters because the same approval pattern can protect access to CI/CD pipelines, secrets managers, service dashboards, and AI tooling. NHIMG research indicates that 79% of organisations have experienced secrets leaks and 91.6% of secrets remain valid five days after notification, showing how one compromised access path can quickly become a longer-lived governance failure when revocation is slow. The risk is amplified in agentic workflows where a single compromised human session can authorize actions that indirectly affect NHIs or the secrets they use. Guidance on identity abuse in the 52 NHI Breaches Analysis and the broader control discussion in Top 10 NHI Issues both reinforce the need to treat approval integrity as part of identity governance, not just authentication UX. Organisations typically encounter the consequences only after an unauthorized session is used to reach sensitive systems, at which point push fatigue attack becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A03 Prompt abuse and approval misuse are part of agentic access-control failure modes.
OWASP Non-Human Identity Top 10 NHI-07 Identity approval weaknesses can expose secrets and privileged NHI-linked access paths.
NIST CSF 2.0 PR.AA-1 Identity and authentication assurance controls cover approval-based MFA weaknesses.
NIST SP 800-63 AAL2 Push-based approval alone may not satisfy stronger assurance expectations for sensitive access.
NIST Zero Trust (SP 800-207) PA-1 Zero trust requires continuous verification beyond a single successful prompt approval.

Re-evaluate trust after each sign-in and restrict downstream access when authentication behavior is abnormal.