Cisco breach lessons show MFA fatigue remains an identity risk

At a glance

What this is: This is Axiad’s analysis of the Cisco breach, with the key finding that credential theft plus MFA fatigue and vishing can still bypass push-based authentication.

Why it matters: It matters because identity teams must treat authentication method choice, user education, and push-app registration controls as linked risk controls across human IAM and adjacent NHI programmes.

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

👉 Read Axiad's analysis of the Cisco data breach and MFA fatigue lessons

Context

The Cisco breach is a reminder that authentication can fail even when MFA is present, because the attacker often targets the person behind the account rather than the control itself. In this case, stolen credentials, push fatigue, and vishing were used together to push the user into approving access.

For IAM teams, the lesson is not that MFA is obsolete. The lesson is that push-based MFA, shared secrets, and weak registration controls create an approval path that determined attackers can exploit, especially when users are trained only to treat login as the security boundary.

Key questions

Q: How should security teams reduce MFA fatigue risk in push-based authentication?

A: Security teams should reduce MFA fatigue risk by limiting push enrollment, adding number matching or equivalent challenge friction, and monitoring repeated authentication prompts from the same source. The strongest control is to replace push for high-value users with phishing-resistant methods so that a coerced approval cannot complete the login path.

Q: Why do stolen credentials still matter when MFA is enabled?

A: Stolen credentials still matter because they give attackers a valid starting point inside the identity flow. With a real username and password, an attacker can trigger MFA prompts, mount social engineering, and exploit weak recovery processes. MFA reduces risk, but it does not remove the value of the initial secret.

Q: What do organisations get wrong about push notification MFA?

A: Organisations often treat push MFA as if user approval were equivalent to strong proof of identity. In practice, the approval step is human and therefore pressure-sensitive. If users can be fatigued, impersonated, or rushed, the authentication model is weaker than the policy suggests.

Q: Who is accountable when vishing leads to account compromise?

A: Accountability sits with the organisation that designed the authentication and recovery model, not with the user alone. Security leaders, IAM owners, and help-desk operations all share responsibility for registration checks, reset flows, and access verification rules that can either absorb or amplify social engineering.

Technical breakdown

How push MFA fails under fatigue and vishing

Push-based MFA asks a user to approve a login attempt on a second device. That adds friction, but it still depends on human judgment at the moment of challenge. Attackers can spam requests until the user approves them out of annoyance, confusion, or compliance, which is commonly called MFA fatigue. Vishing strengthens that pressure by using voice-based social engineering to impersonate help desk staff or another trusted party. The technical weakness is not the factor itself, but the trust model around the approval event. If the user can be persuaded, the control can be bypassed without breaking cryptography.

Practical implication: limit push registrations, harden challenge workflows, and prefer phishing-resistant methods for high-risk access.

Why compromised credentials still matter when MFA exists

A compromised password remains a useful entry point because it gives the attacker a real account context before the MFA prompt appears. Once the adversary has the username and password, they can trigger repeated login attempts, observe user behaviour, and mount social engineering with much higher credibility. This is why password theft and MFA abuse are often chained together rather than treated as separate threats. In IAM terms, the credential is the foothold and the authentication ceremony becomes the battleground. Stronger MFA reduces risk, but it does not erase the value of stolen primary credentials.

Practical implication: treat password compromise as an identity event, not just an authentication failure, and accelerate phishing-resistant rollout.

Why phishing-resistant authentication changes the attack surface

Phishing-resistant methods such as FIDO2 and PIV bind authentication to a cryptographic challenge that is much harder to relay or coerce through a fake prompt. They reduce dependence on shared secrets and make remote social engineering less effective because the attacker cannot simply trick a user into transferring an approval. CISA has long treated these methods as a core Zero Trust building block because they narrow the attacker’s options after initial credential exposure. The key architectural shift is moving from user-approved login events to device-bound, origin-validated authentication.

Practical implication: prioritise phishing-resistant authentication for administrators, remote workers, and any account exposed to high-value targets.

Threat narrative

Attacker objective: The attacker’s objective was to gain authenticated access to the employee’s account and reach Cisco data without needing to break the underlying MFA system.

1. Entry began with stolen credentials taken from the employee’s personal account, giving the attacker a legitimate username and password to work with.
2. Escalation followed through repeated MFA fatigue prompts and vishing calls that pressured the user into approving access through the push channel.
3. Impact was account compromise and access to Cisco data, showing that a trusted authentication path can become the attacker’s delivery mechanism when the user is the control point.

Breaches seen in the wild

• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Push-based MFA is a control, not an identity boundary. The Cisco breach shows that approval-based authentication can be socially engineered even when it is technically functioning as designed. When the user becomes the final security decision point, the control inherits human fatigue, confusion, and trust errors. Practitioners should treat push MFA as a risk reducer, not a terminus for identity assurance.

Phishing-resistant authentication should be the default for high-value identities. Passwords and push prompts create a compound failure mode when attackers can first obtain credentials and then coerce approval. That combination is now a recurring identity pattern across enterprise environments, especially for privileged and remote access. IAM programmes should re-evaluate where human-approved authentication is still acceptable versus where device-bound methods are required.

Trusted support impersonation is an identity exploit, not just a social problem. Vishing works because users are trained to accept help-desk style authority inside the authentication flow. That means the governance gap sits in registration rules, support verification processes, and user training, not only in endpoint tooling. Organisations need to treat impersonation as part of access control design, not a separate awareness topic.

Credential theft and MFA fatigue create a layered access path that basic hygiene does not break. The attacker did not need a novel exploit chain, only a stolen secret, a persuadable user, and a permissive push channel. That makes this breach a strong example of the identity attack surface expanding through the weakest human-mediated step. Security leaders should use it to pressure-test how much of their authentication trust model still depends on user discipline.

Identity attack surface is increasingly shaped by user interaction, not just technical exposure. Once an account can be reached through repeated approval prompts, help-desk mimicry, or personal-account compromise, the real control plane includes behaviour. This is why mature identity programmes now assess both the credential and the surrounding approval process. The practitioner conclusion is straightforward: measure the human path into authentication as carefully as the cryptographic one.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly exposure can become repeat compromise.
• For a broader breach lens, read 52 NHI Breaches Analysis to see recurring failure patterns across identities and access paths.

What this signals

Push approval is becoming a governance signal, not just an authentication method. Teams that still rely on user-approved prompts for high-value access should assume the approval channel itself is part of the attack surface. A more mature programme will measure prompt volume, re-enrollment activity, and support-driven reauthentication as risk indicators, then tighten controls around the paths attackers can socially engineer.

Identity programmes need a separate control lens for coercion-resistant authentication. Passwordless and device-bound methods are no longer just user-experience improvements. They are the practical response to a category of attacks that combine stolen secrets with human pressure, and they reduce the number of places an attacker can turn authentication into an influence exercise.

As identity boundaries move closer to user behaviour, the next failure mode is often the help desk. Organisations that improve MFA without hardening recovery and device-registration processes are only shifting the target. The operational priority is to align identity proofing, reset workflows, and escalation paths with the same level of scrutiny applied to privileged access.

For practitioners

• Shift high-risk accounts to phishing-resistant methods Use FIDO2 or PIV for administrators, remote access, and any account likely to be targeted with credential theft and social engineering. Keep push MFA only where the business case is clear and the residual risk is acceptable.
• Tighten push-app registration controls Restrict where push authenticators can be enrolled, require stronger verification before device registration, and monitor for unusual re-enrollment activity after credential compromise.
• Train users on MFA fatigue and vishing cues Use realistic simulations that teach users to reject repeated prompts, challenge unsolicited support calls, and report unexpected authentication requests immediately.
• Review recovery and help-desk verification paths Map the full process used to reset passwords, rebind devices, and approve access recovery, then remove any step that can be socially engineered through impersonation.

Key takeaways

• The Cisco breach shows that MFA can fail operationally even when the underlying mechanism is working, because attackers target the user approval step.
• Stolen passwords, MFA fatigue, and vishing form a repeatable identity attack pattern that simple awareness training does not fully stop.
• Phishing-resistant authentication, tighter device registration, and stricter recovery flows are the controls that materially reduce this class of compromise.

Key terms

• Phishing-resistant authentication: Authentication that cannot be easily replayed, relayed, or tricked through a fake prompt. It usually depends on device-bound cryptography rather than shared secrets or user-approved push notifications, which makes it much harder for attackers to turn stolen credentials into account takeover.
• Mfa fatigue: A social engineering tactic that overwhelms a user with repeated authentication prompts until they approve one out of annoyance, confusion, or pressure. The method works because the approval step is human, so the control can be bypassed without breaking the underlying authentication technology.
• Push notification authentication: An MFA method that asks a user to confirm a login attempt from another device, usually a mobile app. It improves security over passwords alone, but it creates an approval event that attackers can target with impersonation, repetition, and timing pressure.
• Identity attack surface: The full set of identities, credentials, recovery paths, and human decision points that an attacker can exploit to obtain access. It includes technical controls and the workflows around them, because credential compromise often becomes account compromise through the surrounding process.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Axiad covering the Cisco data breach: lessons learned from Cisco's account compromise and MFA fatigue attack. Read the original.