Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

MFA fatigue attacks: are your push prompts training users to approve?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: MFA fatigue attacks exploit repeated push prompts, stolen credentials, and help desk social engineering to turn one approval into full account compromise, with real-world breaches at Uber, Cisco, and MGM Resorts showing the pattern repeatedly, according to 1Kosmos. Push-based MFA stops looking resilient once attackers can convert user exhaustion into authentication success.

NHIMG editorial — based on content published by 1Kosmos: MFA fatigue attacks and phishing-resistant MFA

By the numbers:

Questions worth separating out

Q: What breaks when organisations rely on push-based MFA for high-risk access?

A: Push-based MFA breaks when the approval step becomes routine instead of deliberate.

Q: Why do MFA fatigue attacks work so well in modern IAM programmes?

A: They work because many IAM programmes still treat user approval as a reliable trust signal.

Q: How do security teams know if MFA fatigue is affecting their environment?

A: Look for repeated denied prompts, challenge bursts from the same account, unusual timing patterns, and follow-on logins from new locations or devices.

Practitioner guidance

  • Replace push-only MFA for sensitive access Move privileged users, contractors, and remote access paths to phishing-resistant authentication such as passkeys or hardware security keys.
  • Rate-limit repeated MFA prompts Set hard limits on challenge frequency, alert on bursts, and lock or step-up accounts after repeated denials.
  • Add context to every authentication prompt Display application name, geolocation, device details, and request origin in the prompt so users can spot abnormal sign-in behavior.

What's in the full article

1Kosmos' full article covers the operational detail this post intentionally leaves for the source:

  • Specific examples of prompt abuse patterns and how attackers combine them with social engineering.
  • A practical breakdown of the MFA methods most vulnerable to fatigue and the ones that resist it.
  • Control ideas for rate limiting, account locking, and contextual push notifications.
  • Why passwordless and cryptographic verification remove the approval step attackers rely on.

👉 Read 1Kosmos' analysis of MFA fatigue attacks and phishing-resistant MFA →

MFA fatigue attacks: are your push prompts training users to approve?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Push-based MFA creates approval debt: The control asks users to repeatedly spend attention on a security decision until they eventually stop making that decision carefully. That is not just a usability issue. It is a governance flaw because the system depends on the user staying alert longer than an attacker needs to wait. The implication is that approval-heavy MFA should be treated as a fragile control, not a mature authentication end state.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.

A question worth separating out:

Q: Who is accountable when a user approves a fraudulent MFA request?

A: Accountability is shared across identity security, help desk operations, and access governance. If the programme still relies on approval-only MFA, the organisation has built a control that assumes perfect user attention. Frameworks such as Zero Trust and modern authentication guidance push responsibility toward stronger verification methods, not blame after the fact.

👉 Read our full editorial: MFA fatigue attacks expose the limits of push-based authentication



   
ReplyQuote
Share: