TL;DR: Push fatigue attacks succeed by exploiting valid credentials and human response patterns, not by breaking authentication infrastructure, which is why modern IAM can still miss them according to eMudhra. Modern identity programmes need more than strong login flows, because approval signals can look clean even when the underlying trust decision is coerced.
NHIMG editorial — based on content published by eMudhra: Security teams often assume that once authentication is modernized, risk drops significantly
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should security teams reduce push fatigue risk in IAM environments?
A: Security teams should reduce the number of times users can be asked to approve access, then make the approval itself harder to accept blindly.
Q: Why do valid credentials not stop push fatigue attacks?
A: Valid credentials only prove that the login request is technically plausible.
Q: What do security teams get wrong about MFA push notifications?
A: Many teams treat a push approval as confirmation that the user intended to authenticate.
Practitioner guidance
- Reduce dependence on push approval workflows Move high-risk access paths toward passwordless or certificate-based methods so repeated prompts are not the primary trust signal for entry.
- Enforce number matching and prompt throttling Limit how often a user can be challenged and require interaction that cannot be accepted reflexively, especially for sensitive applications.
- Add behavioural detection for approval fatigue Monitor prompt volume, repeated denials, device changes, and unusual approval timing to identify coercive patterns before access is granted.
What's in the full article
eMudhra's full article covers the operational detail this post intentionally leaves for the source:
- How its IAM approach combines certificate-backed identity validation with adaptive access enforcement.
- Which contextual signals the vendor says are used to reduce reliance on push approval workflows.
- How passwordless and certificate-based authentication change the attack surface for repeated prompt abuse.
- Where its IAM architecture fits into broader identity assurance design decisions.
👉 Read eMudhra's analysis of push fatigue attacks and IAM defense →
Push fatigue attacks and IAM: what controls actually stop them?
Explore further
Push fatigue attacks expose an approval-trust assumption that modern IAM still relies on. The architecture assumes a valid user response is a reliable indicator of intent, but attackers can manufacture that response through repetition and disruption. That means the failure is not merely weak MFA, but a trust model that overvalues the approval event. Practitioners should treat prompt acceptance as a risky behavioural signal, not a clean authentication outcome.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing that remediation lags can outlast detection by days.
A question worth separating out:
Q: How do you know if push fatigue controls are actually working?
A: Look for fewer repeated prompts, lower approval rates on unexpected requests, and stronger challenge outcomes on sensitive applications. If users still receive frequent prompts for the same account or application, the control is reducing friction without reducing the attack path.
👉 Read our full editorial: Push fatigue attacks expose the limits of modern IAM controls