TL;DR: MFA fatigue turns repeated prompts into a security weakness, and prompt bombing can pressure users into approving unauthorized access, according to GlobalSign’s analysis. The underlying issue is that authentication designs still assume users can sustain constant vigilance, which is no longer a safe governance assumption.
NHIMG editorial — based on content published by GlobalSign: MFA fatigue and the case for smarter authentication
By the numbers:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams reduce MFA fatigue without weakening access security?
A: Use adaptive authentication so users are challenged only when risk changes, not on every login.
Q: Why does prompt bombing work against MFA users?
A: Prompt bombing works because repeated requests create fatigue, and fatigue pushes users toward approval without careful review.
Q: What do organisations get wrong about push-based MFA?
A: They often treat push MFA as a fixed safeguard rather than a control that depends on user behaviour and prompt quality.
Practitioner guidance
- Reduce routine MFA prompt volume Review where users receive repeated, low-value prompts and collapse those flows into fewer, risk-based challenges.
- Add prompt-bombing resistance Enable number matching, request throttling, and device context so repeated approval prompts cannot be treated as harmless background activity.
- Tune conditional access around real context Use device trust, location, session history, and behavioural signals to decide when MFA should interrupt the user.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- How to tune MFA prompts so routine logins do not create unnecessary fatigue.
- Examples of adaptive authentication and contextual challenge patterns for everyday user access.
- Discussion of user experience, change management, and security culture around MFA adoption.
- The article's practical framing of why simple awareness campaigns do not fix structural prompt overload.
👉 Read GlobalSign's analysis of MFA fatigue and adaptive authentication →
MFA fatigue and prompt bombing: are your controls keeping up?
Explore further
MFA fatigue is a human identity failure, not a user discipline problem. Repeated prompts turn authentication into background noise, and that changes the control outcome even when the technology itself is functioning as designed. The governance lesson is that IAM cannot assume constant human attention as a durable control condition. Practitioners should treat authentication friction as a measurable security variable, not a UX footnote.
A few things that frame the scale:
- 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, which shows how often identity governance breaks after access is granted.
A question worth separating out:
Q: Who is accountable when users approve malicious MFA prompts?
A: Accountability sits with the organisation’s identity governance and access design, not just with the end user. If the control model makes false approvals likely, the programme has failed to manage authentication risk properly. Teams should review policy design, alert fatigue, and challenge frequency as part of access governance.
👉 Read our full editorial: MFA fatigue exposes a usability gap in human identity security