Notifications
Clear all
Topic starter
12/06/2026 10:10 pm
TL;DR: Cisco’s breach analysis shows that stolen credentials, push-notification fatigue, and vishing can still defeat conventional MFA when attackers target the human approval path, according to Axiad. Phishing-resistant authentication and tighter push-app controls remain the practical answer, not more confidence in passwords or basic push prompts.
NHIMG editorial — based on content published by Axiad covering the Cisco data breach: lessons learned from Cisco's account compromise and MFA fatigue attack
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: How should security teams reduce MFA fatigue risk in push-based authentication?
A: Security teams should reduce MFA fatigue risk by limiting push enrollment, adding number matching or equivalent challenge friction, and monitoring repeated authentication prompts from the same source.
Q: Why do stolen credentials still matter when MFA is enabled?
A: Stolen credentials still matter because they give attackers a valid starting point inside the identity flow.
Q: What do organisations get wrong about push notification MFA?
A: Organisations often treat push MFA as if user approval were equivalent to strong proof of identity.
Practitioner guidance
- Shift high-risk accounts to phishing-resistant methods Use FIDO2 or PIV for administrators, remote access, and any account likely to be targeted with credential theft and social engineering.
- Tighten push-app registration controls Restrict where push authenticators can be enrolled, require stronger verification before device registration, and monitor for unusual re-enrollment activity after credential compromise.
- Train users on MFA fatigue and vishing cues Use realistic simulations that teach users to reject repeated prompts, challenge unsolicited support calls, and report unexpected authentication requests immediately.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- Specific examples of push-notification abuse and how the attack chain unfolded in Cisco's environment
- Practical guidance on reducing MFA fatigue with stronger registration and enrollment controls
- Cisco-related lessons on phishing-resistant authentication choices for enterprise identity teams
- The vendor's implementation perspective on Axiad Cloud and Axiad ID for stronger authentication
👉 Read Axiad's analysis of the Cisco data breach and MFA fatigue lessons →
Cisco breach lessons and the MFA fatigue gap teams miss?
Explore further
13/06/2026 12:45 am
Push-based MFA is a control, not an identity boundary. The Cisco breach shows that approval-based authentication can be socially engineered even when it is technically functioning as designed. When the user becomes the final security decision point, the control inherits human fatigue, confusion, and trust errors. Practitioners should treat push MFA as a risk reducer, not a terminus for identity assurance.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly exposure can become repeat compromise.
A question worth separating out:
Q: Who is accountable when vishing leads to account compromise?
A: Accountability sits with the organisation that designed the authentication and recovery model, not with the user alone. Security leaders, IAM owners, and help-desk operations all share responsibility for registration checks, reset flows, and access verification rules that can either absorb or amplify social engineering.
👉 Read our full editorial: Cisco breach lessons show MFA fatigue remains an identity risk
