By NHI Mgmt Group Editorial TeamPublished 2026-01-26Domain: Governance & RiskSource: GlobalSign

TL;DR: MFA fatigue turns repeated prompts into a security weakness, and prompt bombing can pressure users into approving unauthorized access, according to GlobalSign’s analysis. The underlying issue is that authentication designs still assume users can sustain constant vigilance, which is no longer a safe governance assumption.


At a glance

What this is: This is an analysis of MFA fatigue, showing how repeated authentication prompts can erode user vigilance and create opportunities for prompt bombing and unauthorized approval.

Why it matters: It matters because IAM teams cannot treat MFA as a one-time control choice; they have to design for human behaviour, risk-based authentication, and user experience together.

By the numbers:

👉 Read GlobalSign's analysis of MFA fatigue and adaptive authentication


Context

MFA fatigue is the point at which repeated authentication prompts stop improving security and start reducing it. In human identity programmes, that matters because the control depends on user attention as much as on policy, and prompt overload can make people approve requests they would normally question.

The article argues that push-based MFA and constant verification create friction that attackers can exploit through prompt bombing. The operational question for IAM teams is not whether MFA should exist, but how to reduce unnecessary challenge volume without weakening assurance for high-risk access.

This is a human identity problem first, but it also affects broader identity governance because poor authentication design can normalise risky behaviour across the workforce. That makes MFA fatigue relevant to SSO, conditional access, passwordless adoption, and security training together.


Key questions

Q: How should security teams reduce MFA fatigue without weakening access security?

A: Use adaptive authentication so users are challenged only when risk changes, not on every login. Combine device trust, location, behaviour, and session context to reduce unnecessary prompts, then keep stronger step-up controls for high-risk access paths. The goal is less friction for routine work and higher assurance where it matters most.

Q: Why does prompt bombing work against MFA users?

A: Prompt bombing works because repeated requests create fatigue, and fatigue pushes users toward approval without careful review. The attacker is exploiting human exhaustion, not breaking the factor itself. Organisations should limit repeated prompts, add request context, and make suspicious login attempts easier for users to recognise quickly.

Q: What do organisations get wrong about push-based MFA?

A: They often treat push MFA as a fixed safeguard rather than a control that depends on user behaviour and prompt quality. When the same action is requested too often, users stop treating it as meaningful. Security teams should measure how often prompts appear and whether they still signal real risk.

Q: Who is accountable when users approve malicious MFA prompts?

A: Accountability sits with the organisation’s identity governance and access design, not just with the end user. If the control model makes false approvals likely, the programme has failed to manage authentication risk properly. Teams should review policy design, alert fatigue, and challenge frequency as part of access governance.


Technical breakdown

Why push-based MFA creates approval fatigue

Push notifications are effective only when the user can reliably distinguish legitimate from malicious prompts. When requests arrive repeatedly, the brain starts to optimise for relief rather than verification, and the result is autopilot approval. That is not a failure of a single factor, but of the interaction model between authentication frequency, user context, and alert design. In practice, the more often a system interrupts the user, the more likely it is that the user treats security as routine noise rather than a decision point.

Practical implication: reduce avoidable prompts and reserve interactive MFA for sessions that genuinely change the risk profile.

How prompt bombing turns MFA into a social engineering vector

Prompt bombing works because the attacker does not need to defeat the second factor technically, only psychologically. By sending enough push requests, the attacker turns denial into fatigue and fatigue into approval. This is especially effective where the organisation has normalised frequent challenges without additional context, device signals, or number-matching controls. The underlying weakness is not MFA itself, but the absence of rate-limiting, context sensitivity, and prompt content that helps the user recognise unexpected access attempts.

Practical implication: add number matching, device context, and throttling so repeated prompts cannot become a viable coercion path.

Adaptive MFA and zero trust as a control model

Adaptive MFA changes the control from static to conditional. Instead of asking for the same level of challenge every time, it evaluates device trust, location, user behaviour, and session risk before deciding how much friction to add. That fits zero trust architecture because access is continuously evaluated rather than assumed after the first login. The architectural point is simple: security that ignores context forces users to carry the burden, while security that uses context can reserve stronger challenge for exceptions rather than routine work.

Practical implication: align conditional access policies with zero trust principles and tune them against actual user journeys.


Threat narrative

Attacker objective: The attacker wants to turn user fatigue into unauthorised access by getting a legitimate MFA approval for a malicious login attempt.

  1. Entry begins when an attacker targets a user account and repeatedly triggers MFA prompts until the user is conditioned to approve one.
  2. Escalation occurs when a single approved prompt grants access to the attacker, bypassing the intended second factor through psychological pressure rather than technical compromise.
  3. Impact follows when the attacker uses the approved session to access corporate systems and move from authentication abuse to broader account compromise.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

MFA fatigue is a human identity failure, not a user discipline problem. Repeated prompts turn authentication into background noise, and that changes the control outcome even when the technology itself is functioning as designed. The governance lesson is that IAM cannot assume constant human attention as a durable control condition. Practitioners should treat authentication friction as a measurable security variable, not a UX footnote.

Prompt bombing exposes a control gap in risk-based authentication design. The attack succeeds because the organisation allows repeated challenge without enough context to distinguish expected from suspicious access. That is a failure of challenge orchestration, not a weakness in user intent. Teams should recognise that MFA effectiveness depends on when and how prompts are issued, not simply on whether MFA is enabled.

Adaptive authentication is now a core identity governance requirement. Static MFA policies were built for a world where every login looked similar and user tolerance could be assumed. That assumption no longer holds when users are saturated with alerts and attackers can exploit habituation. The practical conclusion is that authentication policy must be tied to session risk, device confidence, and behavioural signal quality.

MFA attention debt: The more an organisation asks users to prove themselves, the more it accrues a hidden cost in vigilance and compliance drift. That debt is paid when staff begin approving prompts reflexively or bypassing controls informally. IAM leaders should audit where authentication demand exceeds human tolerance and redesign those journeys before attackers do.

Zero trust only works when step-up controls are selective. Continuous verification does not mean continuous interruption. If every session is treated as equally suspicious, users learn to ignore the signal and the control loses value. Practitioners should reserve stronger authentication for high-risk transitions, because the control is strongest when it is rare enough to be meaningful.

From our research:

  • 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, which shows how often identity governance breaks after access is granted.
  • For a broader view of why identity governance is struggling across machine and human identities, see the Ultimate Guide to NHIs.

What this signals

MFA attention debt: the more an organisation trains users to expect routine prompts, the less meaningful those prompts become. That pattern matters beyond authentication because it teaches the workforce to treat security decisions as background noise, which weakens the whole identity programme.

With 97% of NHIs carrying excessive privileges, according to the Ultimate Guide to NHIs, the same governance instinct appears across machine and human identity: controls fail when they are too broad, too frequent, or too hard to use well.

Teams should look at MFA fatigue as an early signal that identity design is drifting away from actual user behaviour. When authentication becomes tiring, attackers gain an opening, and the programme needs fewer interruptions, better context, and cleaner access journeys.


For practitioners

  • Reduce routine MFA prompt volume Review where users receive repeated, low-value prompts and collapse those flows into fewer, risk-based challenges. Prioritise applications and sign-in paths that generate the most authentication noise and remove unnecessary step-up events.
  • Add prompt-bombing resistance Enable number matching, request throttling, and device context so repeated approval prompts cannot be treated as harmless background activity. Make the prompt itself carry enough signal that users can identify unexpected access attempts.
  • Tune conditional access around real context Use device trust, location, session history, and behavioural signals to decide when MFA should interrupt the user. This lowers friction for normal work and reserves stronger challenges for abnormal conditions.
  • Measure authentication fatigue as a control signal Track approval rates, repeated denial patterns, and help desk reports of MFA overload. If the control generates high friction with little risk differentiation, the policy is probably being overused rather than well-governed.

Key takeaways

  • MFA fatigue turns an authentication control into a usability problem that attackers can exploit through repeated prompts and user conditioning.
  • The scale of the identity governance gap is visible in the data, with only 5.7% of organisations claiming full visibility into service accounts.
  • IAM teams should reduce prompt volume, add contextual challenge, and treat authentication fatigue as a measurable security risk.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-63 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-7Continuous verification and authentication behaviour are central to MFA fatigue.
NIST Zero Trust (SP 800-207)Zero trust supports conditional, context-aware step-up authentication.
NIST SP 800-63SP 800-63BAuthenticator management and authentication assurance are directly relevant to MFA design.
NIST SP 800-53 Rev 5IA-2IA-2 governs identification and authentication for access to systems and applications.

Review MFA design against SP 800-63B and remove authentication patterns that increase user error and fatigue.


Key terms

  • MFA fatigue: The erosion of user attention and judgement caused by repeated multifactor authentication prompts. In practice, it turns a strong control into a predictable approval habit when alerts are too frequent, too similar, or too poorly contextualised for the user to evaluate safely.
  • Prompt bombing: A social engineering technique that floods a user with repeated authentication requests until one is approved out of frustration or confusion. The weakness is behavioural, not cryptographic, and it becomes more effective when organisations lack throttling, context signals, or clear prompt design.
  • Adaptive authentication: An authentication approach that changes the challenge level based on device trust, user behaviour, location, and session risk. It reduces unnecessary friction for normal access while reserving stronger verification for situations that look unusual or risky.
  • Authentication fatigue: A broader state in which repeated security checks cause users to stop treating authentication as a meaningful decision. It is a governance problem as much as a usability issue, because control effectiveness depends on sustained human judgement, not just policy enforcement.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • How to tune MFA prompts so routine logins do not create unnecessary fatigue.
  • Examples of adaptive authentication and contextual challenge patterns for everyday user access.
  • Discussion of user experience, change management, and security culture around MFA adoption.
  • The article's practical framing of why simple awareness campaigns do not fix structural prompt overload.

👉 GlobalSign's full post covers the human factors, prompt bombing risk, and usability trade-offs in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-01-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org