MFA fatigue attacks: are your push prompts training users to approve?

TL;DR: MFA fatigue attacks exploit repeated push prompts, stolen credentials, and help desk social engineering to turn one approval into full account compromise, with real-world breaches at Uber, Cisco, and MGM Resorts showing the pattern repeatedly, according to 1Kosmos. Push-based MFA stops looking resilient once attackers can convert user exhaustion into authentication success.

NHIMG editorial — based on content published by 1Kosmos: MFA fatigue attacks and phishing-resistant MFA

By the numbers:

• MGM Resorts attack in 2023 showed just how far this can go, with losses exceeding $100 million.

Questions worth separating out

Q: What breaks when organisations rely on push-based MFA for high-risk access?

A: Push-based MFA breaks when the approval step becomes routine instead of deliberate.

Q: Why do MFA fatigue attacks work so well in modern IAM programmes?

A: They work because many IAM programmes still treat user approval as a reliable trust signal.

Q: How do security teams know if MFA fatigue is affecting their environment?

A: Look for repeated denied prompts, challenge bursts from the same account, unusual timing patterns, and follow-on logins from new locations or devices.

Practitioner guidance

• Replace push-only MFA for sensitive access Move privileged users, contractors, and remote access paths to phishing-resistant authentication such as passkeys or hardware security keys.
• Rate-limit repeated MFA prompts Set hard limits on challenge frequency, alert on bursts, and lock or step-up accounts after repeated denials.
• Add context to every authentication prompt Display application name, geolocation, device details, and request origin in the prompt so users can spot abnormal sign-in behavior.

What's in the full article

1Kosmos' full article covers the operational detail this post intentionally leaves for the source:

• Specific examples of prompt abuse patterns and how attackers combine them with social engineering.
• A practical breakdown of the MFA methods most vulnerable to fatigue and the ones that resist it.
• Control ideas for rate limiting, account locking, and contextual push notifications.
• Why passwordless and cryptographic verification remove the approval step attackers rely on.

👉 Read 1Kosmos' analysis of MFA fatigue attacks and phishing-resistant MFA →

MFA fatigue attacks: are your push prompts training users to approve?

Explore further

View Full Forum →  |  NHI Foundation Course →