Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Push fatigue attacks and IAM: what controls actually stop them?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10965
Topic starter  

TL;DR: Push fatigue attacks succeed by exploiting valid credentials and human response patterns, not by breaking authentication infrastructure, which is why modern IAM can still miss them according to eMudhra. Modern identity programmes need more than strong login flows, because approval signals can look clean even when the underlying trust decision is coerced.

NHIMG editorial — based on content published by eMudhra: Security teams often assume that once authentication is modernized, risk drops significantly

By the numbers:

Questions worth separating out

Q: How should security teams reduce push fatigue risk in IAM environments?

A: Security teams should reduce the number of times users can be asked to approve access, then make the approval itself harder to accept blindly.

Q: Why do valid credentials not stop push fatigue attacks?

A: Valid credentials only prove that the login request is technically plausible.

Q: What do security teams get wrong about MFA push notifications?

A: Many teams treat a push approval as confirmation that the user intended to authenticate.

Practitioner guidance

  • Reduce dependence on push approval workflows Move high-risk access paths toward passwordless or certificate-based methods so repeated prompts are not the primary trust signal for entry.
  • Enforce number matching and prompt throttling Limit how often a user can be challenged and require interaction that cannot be accepted reflexively, especially for sensitive applications.
  • Add behavioural detection for approval fatigue Monitor prompt volume, repeated denials, device changes, and unusual approval timing to identify coercive patterns before access is granted.

What's in the full article

eMudhra's full article covers the operational detail this post intentionally leaves for the source:

  • How its IAM approach combines certificate-backed identity validation with adaptive access enforcement.
  • Which contextual signals the vendor says are used to reduce reliance on push approval workflows.
  • How passwordless and certificate-based authentication change the attack surface for repeated prompt abuse.
  • Where its IAM architecture fits into broader identity assurance design decisions.

👉 Read eMudhra's analysis of push fatigue attacks and IAM defense →

Push fatigue attacks and IAM: what controls actually stop them?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10520
 

Push fatigue attacks expose an approval-trust assumption that modern IAM still relies on. The architecture assumes a valid user response is a reliable indicator of intent, but attackers can manufacture that response through repetition and disruption. That means the failure is not merely weak MFA, but a trust model that overvalues the approval event. Practitioners should treat prompt acceptance as a risky behavioural signal, not a clean authentication outcome.

A few things that frame the scale:

  • Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing that remediation lags can outlast detection by days.

A question worth separating out:

Q: How do you know if push fatigue controls are actually working?

A: Look for fewer repeated prompts, lower approval rates on unexpected requests, and stronger challenge outcomes on sensitive applications. If users still receive frequent prompts for the same account or application, the control is reducing friction without reducing the attack path.

👉 Read our full editorial: Push fatigue attacks expose the limits of modern IAM controls



   
ReplyQuote
Share: