John Trest, Chief Learning Officer, VIPRE Security Group
Multi-factor authentication (MFA) remains one of the most effective defenses against account compromise. By requiring more than a password, something the user has, knows, or is, MFA raises the barrier for attackers and sharply reduces breach risk. But as security improves, attackers adapt. A newer threat, MFA fatigue or prompt bombing, exploits user frustration with repeated login requests to trick people into granting access.
Let’s review how these attacks work, why they’re increasing, and how organisations can strengthen MFA without overwhelming users.
What Is MFA Fatigue?
MFA fatigue occurs when users are bombarded with frequent or poorly timed authentication prompts. Attackers who obtain a victim’s username and password try to log in repeatedly, triggering push notifications or approval requests. The constant barrage wears down patience, and eventually some users approve a request out of annoyance, confusion, or the desire to stop the alerts.
Also called prompt bombing, this tactic is simple yet surprisingly effective.
Real-World Impact
Prompt bombing has played a role in multiple significant breaches, demonstrating that attackers can succeed through persistence and psychological manipulation rather than advanced exploits.
- Notification fatigue: After dozens of alerts, a user may assume a glitch and approve one without thinking.
- Social engineering: Attackers may impersonate IT support, urging users to “just approve the login.”
- Timing tactics: Sending MFA requests late at night or during busy work hours raises the odds of accidental approval.
Because it’s cheap, fast, and scalable, this technique has become a favourite for groups seeking initial access to corporate networks.
Why Users Are Vulnerable
MFA fatigue stems from a basic tension between security and usability. Too many prompts frustrate users; too few create openings for attackers. Common weak points include:
- Push-based MFA: One-tap “Approve” prompts are convenient but easy to exploit.
- Lack of context: Many prompts omit location or device details, leaving users guessing.
- Training gaps: Employees may not recognize or report unexpected MFA requests.
When security feels like a nuisance, users take shortcuts, which is exactly what attackers count on.
Smarter MFA Strategies
Organisations can strengthen MFA and reduce frustration through several practical steps.
1. Move Beyond Push Approvals
Push notifications alone are too vulnerable. Safer options include number matching (entering a code shown on the login screen into the app) or biometric verification, such as fingerprint or facial recognition. These methods stop attackers from succeeding through persistence alone.
2. Add Contextual Information
Prompts should display location, device type, and time of the login attempt. When users see that a request comes from an unfamiliar city or device, they’re far less likely to approve it.
3. Implement Rate Limiting
Systems should limit MFA attempts within a set timeframe. Multiple prompts in quick succession should trigger an account lock or alert, preventing attackers from overwhelming users.
4. Educate Users
Training employees to recognise MFA fatigue attacks is essential. Users should know that unexpected prompts signal a possible intrusion and should be reported immediately. Ongoing awareness programs make security a shared responsibility, not just an IT function.
5. Embrace Adaptive Authentication
Adaptive or risk-based MFA adjusts requirements based on context. A login from a trusted device on a known network might need fewer steps, while attempts from new locations or odd hours trigger extra verification. This balance keeps security strong without excessive interruptions.
The Role of Zero Trust
A Zero Trust approach assumes no user, device, or application is inherently trustworthy. Every access request requires continuous verification, based on signals like device health, network reputation, and user behaviour. Within this framework, MFA is one important layer, but not a standalone solution. When integrated into a Zero Trust model, MFA strengthens overall security by working alongside endpoint monitoring, access controls, and analytics to reduce reliance on any single safeguard.
Striking the Right Balance
MFA fatigue underscores a crucial point: human behaviour is an integral part of cybersecurity. Attackers are no longer limited to technical vulnerabilities; they now weaponise user irritation and fatigue with the same efficacy they once applied to weak passwords.
To stay protected, organisations must modernise MFA in ways that increase resistance without alienating users. Reducing prompt overload, providing clearer context, and using adaptive methods all help maintain trust and compliance.
Conclusion
Multi-factor authentication remains a cornerstone of cybersecurity, but its success depends on thoughtful implementation. Over-reliance on push notifications can open the door to fatigue-based attacks that erode confidence in the system. By adopting smarter prompts, contextual data, user education, and adaptive controls, organisations can stay ahead of attackers while keeping the user experience manageable.
Achieving a balance between user convenience and robust security is crucial; the objective is to safeguard both individuals and their data.
