MFA fatigue attacks: are your authentication controls wearing users down?

TL;DR: MFA fatigue turns repetitive authentication prompts into an attack path by conditioning users to approve requests, reuse passwords, or trust spoofed login flows, according to 1Kosmos. The real issue is not user inconvenience alone but control design that assumes human vigilance will hold under repeated challenge pressure.

NHIMG editorial — based on content published by 1Kosmos: MFA fatigue and the user experience of repeated authentication

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams reduce MFA fatigue without weakening authentication?

A: Security teams should reduce unnecessary repeat prompts, use risk-based step-up only where it changes the assurance level, and reserve stronger verification for privileged or unusual access.

Q: Why do repeated MFA prompts increase the risk of account compromise?

A: Repeated prompts increase risk because they condition users to respond automatically, especially when paired with urgency or familiar login screens.

Q: What do organisations get wrong about MFA and user behaviour?

A: Many organisations assume users will always treat an MFA prompt as a meaningful security event.

Practitioner guidance

• Reduce repetitive approval loops Cut duplicate MFA prompts where the same session, device, and risk context are already established, and remove unnecessary step-up requests that do not materially improve assurance.
• Use phishing-resistant methods for high-risk access Prioritise methods that resist prompt bombing and fake-login interception for privileged users, remote access, and sensitive transactions.
• Measure prompt volume and approval behaviour Track how often users receive repeated challenges, how quickly they approve them, and which applications generate the most fatigue-driven exceptions.

What's in the full article

1Kosmos's full article covers the practical authentication and UX detail this post intentionally leaves for the source:

• Detailed discussion of biometrics, adaptive authentication, and identity proofing as fatigue reducers.
• The article's own explanation of how user experience design can lower prompt overload without removing security.
• Specific vendor capabilities, including LiveID, FaceID, and government-issued ID workflows, that are not analysed here.
• The certification and integration claims the vendor uses to position its platform in existing identity stacks.

👉 Read 1Kosmos's analysis of MFA fatigue and user authentication risk →

MFA fatigue attacks: are your authentication controls wearing users down?

Explore further

View Full Forum →  |  NHI Foundation Course →