Notifications
Clear all
Topic starter
08/06/2026 4:06 pm
TL;DR: MFA fatigue attacks exploit push notification overload to trick users into approving access, and Expel reports that 80% of successful business account compromise attacks occurred on accounts already protected by MFA. The lesson is that authentication design must assume user manipulation, not just credential theft.
NHIMG editorial — based on content published by Axiad: The Growing Problem with MFA Fatigue Attacks (And What You Can Do About It)
By the numbers:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams reduce the risk of MFA fatigue attacks?
A: They should limit push-based approvals for high-risk access, use phishing-resistant authenticators, and suppress repeated prompts that create user fatigue.
Q: Why do MFA fatigue attacks still work when MFA is already deployed?
A: They work because MFA often assumes a legitimate user will distinguish a real prompt from an attacker-generated one.
Q: What breaks when organisations rely on push notifications for sensitive access?
A: The trust model breaks.
Practitioner guidance
- Reduce push prompt dependence for sensitive access Prioritise phishing-resistant authenticators for users who access admin consoles, finance systems, customer data, or privileged workflows.
- Limit repeated MFA attempts and trigger risk review Set thresholds for repeated MFA requests, unusual geolocation changes, and new-device enrolment so the system can suppress noise and escalate suspicious patterns for review instead of continuing to prompt.
- Add step-up checks at sensitive application boundaries Require additional verification when users move from normal login into applications that hold sensitive data or elevated privileges, especially if the session origin, location, or device posture changes.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- Practical examples of push fatigue attack flow from credential theft to account approval.
- Recommended MFA policy changes for repeated prompts, new-device enrolment, and location changes.
- Guidance on phishing-resistant authenticators and passwordless approaches for sensitive access.
- Examples of stronger authentication checks at application boundaries rather than only at login.
👉 Read Axiad's analysis of MFA fatigue attacks and stronger authentication controls →
Mfa fatigue attacks: are push prompts still safe enough?
Explore further
08/06/2026 5:33 pm
Push-based MFA is a human behaviour control, not a reliable assurance control. MFA fatigue attacks succeed because the attacker is not defeating cryptography first. They are exploiting approval habits, notification overload, and the assumption that a user tap equals intent. For IAM programmes, that means the control is only as strong as the human response pattern behind it. Practitioners should treat repeated push approval as a governance weakness, not a user inconvenience.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes are still operating with partial control-plane awareness.
A question worth separating out:
Q: Should organisations replace MFA or improve it with stronger factors?
A: They should improve it with stronger factors rather than abandon it. Passwordless methods and public key-based authenticators reduce credential theft and prompt fatigue exposure, while step-up controls keep the strongest checks for the highest-risk actions instead of forcing them on every login.
👉 Read our full editorial: Mfa fatigue attacks expose the limits of push-based authentication
