TL;DR: MFA fatigue attacks exploit repeated push prompts, stolen credentials, and help desk social engineering to turn one approval into full account compromise, with real-world breaches at Uber, Cisco, and MGM Resorts showing the pattern repeatedly, according to 1Kosmos. Push-based MFA stops looking resilient once attackers can convert user exhaustion into authentication success.
NHIMG editorial — based on content published by 1Kosmos: MFA fatigue attacks and phishing-resistant MFA
By the numbers:
- MGM Resorts attack in 2023 showed just how far this can go, with losses exceeding $100 million.
Questions worth separating out
Q: What breaks when organisations rely on push-based MFA for high-risk access?
A: Push-based MFA breaks when the approval step becomes routine instead of deliberate.
Q: Why do MFA fatigue attacks work so well in modern IAM programmes?
A: They work because many IAM programmes still treat user approval as a reliable trust signal.
Q: How do security teams know if MFA fatigue is affecting their environment?
A: Look for repeated denied prompts, challenge bursts from the same account, unusual timing patterns, and follow-on logins from new locations or devices.
Practitioner guidance
- Replace push-only MFA for sensitive access Move privileged users, contractors, and remote access paths to phishing-resistant authentication such as passkeys or hardware security keys.
- Rate-limit repeated MFA prompts Set hard limits on challenge frequency, alert on bursts, and lock or step-up accounts after repeated denials.
- Add context to every authentication prompt Display application name, geolocation, device details, and request origin in the prompt so users can spot abnormal sign-in behavior.
What's in the full article
1Kosmos' full article covers the operational detail this post intentionally leaves for the source:
- Specific examples of prompt abuse patterns and how attackers combine them with social engineering.
- A practical breakdown of the MFA methods most vulnerable to fatigue and the ones that resist it.
- Control ideas for rate limiting, account locking, and contextual push notifications.
- Why passwordless and cryptographic verification remove the approval step attackers rely on.
👉 Read 1Kosmos' analysis of MFA fatigue attacks and phishing-resistant MFA →
MFA fatigue attacks: are your push prompts training users to approve?
Explore further
Push-based MFA creates approval debt: The control asks users to repeatedly spend attention on a security decision until they eventually stop making that decision carefully. That is not just a usability issue. It is a governance flaw because the system depends on the user staying alert longer than an attacker needs to wait. The implication is that approval-heavy MFA should be treated as a fragile control, not a mature authentication end state.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when a user approves a fraudulent MFA request?
A: Accountability is shared across identity security, help desk operations, and access governance. If the programme still relies on approval-only MFA, the organisation has built a control that assumes perfect user attention. Frameworks such as Zero Trust and modern authentication guidance push responsibility toward stronger verification methods, not blame after the fact.
👉 Read our full editorial: MFA fatigue attacks expose the limits of push-based authentication