Notifications
Clear all
Topic starter
07/06/2026 9:15 pm
TL;DR: MFA fatigue attacks exploit repeated push prompts, stolen credentials, and user annoyance to turn multi-factor authentication into a weak approval gate, with the source article outlining number matching, adaptive checks, phishing-resistant MFA, and monitoring controls. The real lesson is that human approval is not a reliable security boundary when attackers can force the decision loop.
NHIMG editorial — based on content published by WorkOS: Understanding MFA fatigue attacks: how they work and how to defend against them
Questions worth separating out
Q: How should security teams stop MFA fatigue attacks?
A: Security teams should combine stronger authentication with behavioural controls.
Q: Why do MFA fatigue attacks still work in mature IAM programmes?
A: They work because many programmes assume a user will reliably reject suspicious prompts.
Q: What signals show that an MFA fatigue attack is underway?
A: Look for repeated MFA requests in a short period, a long series of denials, and then one unexpected approval.
Practitioner guidance
- Replace blind approvals with number matching Require the user to confirm a code shown on the login screen so a prompt alone cannot be approved reflexively.
- Rate-limit repeated MFA prompts Set thresholds for prompt bursts, repeated failures, and rapid re-challenges.
- Correlate prompt storms with identity logs Join IdP events, SIEM telemetry, and user context so analysts can see failed logins, denials, and eventual approvals in one sequence.
What's in the full article
WorkOS' full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance on configuring number matching and adaptive MFA policies across common identity providers
- Examples of detection rules for prompt storms, repeated denials, and unusual approval timing
- Practical comparison of push-based MFA, hardware keys, and passkeys for reducing fatigue-driven approvals
- Tooling guidance for correlating IdP logs with SIEM and user behaviour analytics
👉 Read WorkOS' article on understanding MFA fatigue attacks and defences →
MFA fatigue attacks: are your approval controls keeping up?
Explore further
08/06/2026 9:08 am
Human approval is not a dependable control boundary when attackers can turn login attempts into a harassment loop. MFA fatigue works because the defence assumes the user will act as a rational verifier at the moment of challenge. That assumption collapses when the attacker controls prompt volume, timing, and pressure. The implication is that approval-based MFA should be treated as a fragile trust signal, not as proof of strong identity assurance.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: What should organisations do when repeated MFA prompts appear on an account?
A: Treat the event as potential compromise, not normal friction. Suspend the prompt loop, verify the user through a stronger channel, review recent password activity, and check for lateral movement from the account. Fast containment matters because the approved session may already be active.
👉 Read our full editorial: MFA fatigue attacks expose the limits of human approval checks
