Subscribe to the Non-Human & AI Identity Journal

Forums
The Non-Human & AI ...
NHI, AI & IAM Suppo...
MFA fatigue attacks...
 
Notifications
Clear all

MFA fatigue attacks: are your approval controls keeping up?

 
    Last Post
  RSS

 NHI Mgmt Group
(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 2827
Topic starter 07/06/2026 9:15 pm  

TL;DR: MFA fatigue attacks exploit repeated push prompts, stolen credentials, and user annoyance to turn multi-factor authentication into a weak approval gate, with the source article outlining number matching, adaptive checks, phishing-resistant MFA, and monitoring controls. The real lesson is that human approval is not a reliable security boundary when attackers can force the decision loop.

NHIMG editorial — based on content published by WorkOS: Understanding MFA fatigue attacks: how they work and how to defend against them

Questions worth separating out

Q: How should security teams stop MFA fatigue attacks?

A: Security teams should combine stronger authentication with behavioural controls.

Q: Why do MFA fatigue attacks still work in mature IAM programmes?

A: They work because many programmes assume a user will reliably reject suspicious prompts.

Q: What signals show that an MFA fatigue attack is underway?

A: Look for repeated MFA requests in a short period, a long series of denials, and then one unexpected approval.

Practitioner guidance

  • Replace blind approvals with number matching Require the user to confirm a code shown on the login screen so a prompt alone cannot be approved reflexively.
  • Rate-limit repeated MFA prompts Set thresholds for prompt bursts, repeated failures, and rapid re-challenges.
  • Correlate prompt storms with identity logs Join IdP events, SIEM telemetry, and user context so analysts can see failed logins, denials, and eventual approvals in one sequence.

What's in the full article

WorkOS' full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step guidance on configuring number matching and adaptive MFA policies across common identity providers
  • Examples of detection rules for prompt storms, repeated denials, and unusual approval timing
  • Practical comparison of push-based MFA, hardware keys, and passkeys for reducing fatigue-driven approvals
  • Tooling guidance for correlating IdP logs with SIEM and user behaviour analytics

👉 Read WorkOS' article on understanding MFA fatigue attacks and defences →

MFA fatigue attacks: are your approval controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
Topic Tags
workos multi-factor-authentication phishing-resistant-auth identity-security social-engineering
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  workos (289) , multi-factor-authentication (4) , phishing-resistant-auth (2) , identity-security (28) , social-engineering (2) ,
Share:

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.