MFA fatigue exposes the weakness in repetitive authentication flows

At a glance

What this is: This is an analysis of MFA fatigue and how repeated authentication prompts can be exploited through phishing, spoofed login pages, and approval misuse.

Why it matters: It matters because identity teams need controls that reduce user friction without creating approval fatigue, weak verification habits, or gaps in human IAM and access governance.

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read 1Kosmos's analysis of MFA fatigue and user authentication risk

Context

MFA fatigue is the point at which repeated authentication prompts stop helping security and start training people to approve too quickly. In practice, the problem sits at the intersection of human identity, authentication design, and social engineering, where an attacker benefits from alert exhaustion rather than technical compromise.

For IAM teams, the failure mode is not that MFA is inherently weak. The failure is that the user experience can become so repetitive that legitimate users stop distinguishing a genuine challenge from a malicious one, especially when the login flow is paired with phishing, spoofed pages, or push-spam approval abuse.

Key questions

Q: How should security teams reduce MFA fatigue without weakening authentication?

A: Security teams should reduce unnecessary repeat prompts, use risk-based step-up only where it changes the assurance level, and reserve stronger verification for privileged or unusual access. The goal is not fewer controls overall. It is fewer low-value interruptions that train users to approve without thinking.

Q: Why do repeated MFA prompts increase the risk of account compromise?

A: Repeated prompts increase risk because they condition users to respond automatically, especially when paired with urgency or familiar login screens. Attackers exploit that habit by sending approval requests until one is accepted or by steering users toward a spoofed page that captures credentials before MFA can help.

Q: What do organisations get wrong about MFA and user behaviour?

A: Many organisations assume users will always treat an MFA prompt as a meaningful security event. In practice, prompt overload turns the challenge into routine friction, which makes social engineering more effective and weakens the value of the factor even when the technology is functioning correctly.

Q: How can teams tell whether MFA is causing approval fatigue?

A: Look for unusually high prompt rates, repeated denials followed by eventual approvals, and login paths that generate frequent help desk complaints or bypass requests. Those signals show the control is creating workload without proportionate security benefit and may need redesign, not just enforcement.

Technical breakdown

How MFA fatigue creates an approval attack surface

MFA fatigue works by turning authentication into a repeated behavioural test instead of a single verification event. When users see many prompts, they begin to optimise for speed and familiarity, which lowers scrutiny. Attackers exploit that state by pairing stolen credentials with repeated push requests, urgency messaging, or spoofed login flows. The security issue is not the challenge itself, but the human tendency to normalise frequent prompts and treat them as background noise. Once that happens, the attacker no longer needs to defeat the factor directly. They only need the user to approve, ignore, or misread the request.

Practical implication: reduce repeated prompts where possible and add verification signals that do not depend on user fatigue resistance.

Why phishing and spoofed login pages work so well against fatigued users

Phishing becomes more effective when users are already conditioned to expect authentication friction. In that environment, a convincing message that asks them to “confirm” access feels ordinary rather than suspicious. Spoofed login pages exploit the same habit loop by copying familiar UX patterns and capturing credentials before MFA even comes into play. The article’s core point is that MFA fatigue is not the attack itself. It is the state of mind that lets social engineering lower the user’s guard, especially when the difference between a real prompt and a fake one is only a few visual cues.

Practical implication: train users to verify origin, not just content, and pair MFA with phishing-resistant authentication where feasible.

Biometrics and adaptive authentication as fatigue reducers

The most useful response to MFA fatigue is not simply more steps. It is stronger identity assurance with less repetitive user burden. Biometrics, adaptive authentication, and identity proofing try to reduce the number of times a user must make a conscious approval decision while still preserving assurance. The architectural goal is to shift from repeated challenge-response loops toward context-aware verification that can distinguish routine access from risky access. That matters because the more often a user must actively decide, the more opportunities an attacker gets to exploit tired, distracted, or rushed behaviour.

Practical implication: replace blanket prompt frequency with risk-based authentication paths and stronger proofing for high-risk access.

NHI Mgmt Group analysis

MFA fatigue is a human identity control failure, not just a usability complaint. Repeated prompts convert authentication from verification into habit formation, and attackers know that habits are easier to manipulate than judgments. In human IAM terms, the control degrades when the user’s attention becomes the weakest security feature in the flow. Practitioners should treat prompt volume, not just factor strength, as part of the control design.

Approval fatigue: the governance concept this article exposes is the point at which repeated challenge events become predictable enough to be socially engineered. That failure mode matters because MFA policy often assumes each challenge is independently evaluated. In reality, users under pressure begin to shortcut decision-making, which means the programme is measuring enforcement volume rather than assurance quality. Practitioners need to recognise that the broken premise is user vigilance at scale.

Phishing-resistant authentication is more relevant when the user experience becomes repetitive. The article shows why attack success rises when identity checks rely on memory, urgency, and button-clicking rather than cryptographic resistance to replay and imitation. That is especially true in environments with high login frequency, contractor turnover, or mixed device access. Practitioners should align authentication method choice with behavioural load, not just policy compliance.

Identity programmes that ignore fatigue create their own shadow vulnerability. When users learn that every prompt looks the same, they stop using the prompt itself as a security signal. That weakens both human identity assurance and any adjacent NHI workflow that depends on the same operator making good access decisions. Practitioners should treat repetitive approvals as a design risk that cuts across human access, delegated admin, and support workflows.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• A separate finding shows that 97% of NHIs carry excessive privileges, which broadens attack surface even when access appears operationally normal.
• For a broader governance lens, review the Ultimate Guide to NHIs for visibility, rotation, and offboarding controls that complement human authentication design.

What this signals

Approval fatigue is becoming a governance signal, not just a UX complaint. When users repeatedly approve requests they do not fully inspect, identity teams are seeing a control that is technically present but behaviourally degraded. That is why the design of authentication journeys now matters as much as the factor itself, especially where human approvals feed privileged or delegated access paths.

MFA strategy should be assessed alongside broader identity controls, not in isolation. If human users are already overloaded by repetitive prompts, the same organisation is likely to struggle with review quality, exception handling, and escalation discipline across IAM and access governance.

A programme that reduces prompt fatigue while increasing assurance is usually doing three things well: removing redundant challenges, tightening phishing resistance, and separating routine access from high-risk access. That combination improves both user compliance and the security value of the control.

For practitioners

• Reduce repetitive approval loops Cut duplicate MFA prompts where the same session, device, and risk context are already established, and remove unnecessary step-up requests that do not materially improve assurance.
• Use phishing-resistant methods for high-risk access Prioritise methods that resist prompt bombing and fake-login interception for privileged users, remote access, and sensitive transactions. Pair them with clear origin cues so users can verify the request source.
• Measure prompt volume and approval behaviour Track how often users receive repeated challenges, how quickly they approve them, and which applications generate the most fatigue-driven exceptions. Use that data to redesign the highest-friction flows first.
• Align UX with assurance levels Separate low-risk convenience flows from high-risk verification flows so users do not experience every login as equally intrusive. Reserve stronger checks for unusual context, sensitive data, or privileged actions.

Key takeaways

• MFA fatigue turns repeated authentication into a behavioural weakness that attackers can exploit through urgency, spoofing, and approval abuse.
• The evidence points to a control design problem, not a factor problem, because user attention degrades when prompts become routine.
• Teams should reduce low-value prompts, adopt phishing-resistant methods for risky access, and measure approval behaviour as part of identity governance.

Key terms

• MFA Fatigue: A state in which repeated authentication prompts make users less attentive and more likely to approve requests without scrutiny. It is not a vulnerability in the factor itself. It is a behavioural failure mode that attackers exploit through push abuse, urgency, and spoofed login experiences.
• Phishing-Resistant Authentication: An authentication approach designed to resist credential replay, prompt abuse, and fake login pages. It relies on stronger cryptographic or device-bound methods so the user is not the only line of defence against impersonation or approval manipulation.
• Approval Fatigue: The point at which repeated decisions become routine and lose security value. In identity systems, it appears when users are asked to verify or approve access so often that they begin to treat the prompt as background noise rather than a meaningful control.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by 1Kosmos: MFA fatigue and the user experience of repeated authentication. Read the original.