Multi-factor authentication is one of the best security measures any organisation can implement. We’ve been saying it for years, and it’s still true. But attackers have found a way to turn MFA against its users — and it’s disturbingly simple.

It’s called MFA fatigue, and if you’re relying on push notification-based authentication, your organisation is potentially vulnerable right now.

What MFA Fatigue Actually Is

The concept is embarrassingly low-tech for how effective it is. Here’s how it works:

1. An attacker obtains a user’s credentials (through phishing, credential stuffing, data breach dumps — the usual suspects).
2. They repeatedly attempt to log in, triggering MFA push notifications to the user’s phone.
3. The user gets bombarded with “Approve this login?” notifications. Five. Ten. Twenty. At 2 AM. During meetings. While they’re trying to use their phone for anything else.
4. Eventually, the user taps “Approve” just to make it stop. Or they tap it accidentally. Or they assume it’s a system glitch.
5. The attacker is in.

This isn’t theoretical. The Uber breach in September 2022 — one of the most high-profile compromises of that year — used exactly this technique. The Lapsus$ group member reportedly bombarded an Uber contractor with push notifications for over an hour, then contacted them on WhatsApp pretending to be IT support, telling them to accept the notification to make them stop.

It worked.

Why It’s Getting Worse

MFA fatigue attacks have grown significantly through 2024 and 2025, and 2026 isn’t showing signs of improvement. Several factors are driving this:

Credential availability. The sheer volume of stolen credentials available on underground marketplaces means attackers have an almost unlimited supply of username/password combinations to try. According to Have I Been Pwned, over 13 billion accounts have been compromised in known data breaches. If someone reuses passwords (and despite years of warnings, many still do), their valid credentials are likely floating around somewhere.

Automation. Attackers don’t sit there manually entering credentials. They use automated tools that can target hundreds of accounts simultaneously, triggering MFA prompts at scale. The cost per attempt is essentially zero.

Social engineering enhancement. The Uber attack showed that combining notification bombing with social engineering (pretending to be IT support) dramatically increases success rates. Attackers have refined this playbook, using AI-generated voice calls and convincing pretexts to pressure users into approving prompts.

Push notification design. Many MFA implementations show a simple “Approve/Deny” prompt with minimal context. Users don’t see where the login attempt is coming from or what device initiated it. Without that context, fatigue-driven approval feels less risky to the user.

The Countermeasures That Work

1. Number Matching

This is the single most effective countermeasure. Instead of a simple “Approve/Deny” prompt, the authentication system displays a number on the login screen and asks the user to enter that number in their MFA app.

If you didn’t initiate the login, you won’t see the number. You can’t approve through fatigue because there’s no “Approve” button to mindlessly tap — you need information that only appears on the login screen.

Microsoft Authenticator, Google, Duo, and most major MFA providers now support number matching. If you haven’t enabled it, do it today. Seriously. Stop reading this article and go enable it. Then come back.

2. Location and Context in Prompts

MFA notifications should include:

• Where the login attempt is coming from (city, country)
• What device is being used
• What application is being accessed
• The time of the request

When a user sees “Login attempt from Bucharest, Romania at 3:47 AM on unknown Windows device accessing your email,” they’re much less likely to approve it reflexively than when they just see “Approve login?“

3. Rate Limiting

Configure your identity provider to limit the number of MFA prompts that can be sent in a given timeframe. If someone is triggering 15 push notifications in five minutes, that’s not normal usage — it’s an attack. Block further attempts and alert your security team.

4. Phishing-Resistant MFA

Push notifications are convenient but vulnerable. More resistant options include:

FIDO2/WebAuthn security keys (like YubiKeys). These are virtually immune to MFA fatigue because they require physical presence and can’t be approved remotely. The FIDO Alliance has been pushing this standard for years, and support is now widespread.

Passkeys built into devices offer similar phishing resistance with better usability. Apple, Google, and Microsoft all support them natively now.

Certificate-based authentication ties authentication to specific devices and doesn’t involve approvable notifications at all.

5. User Education (But Don’t Stop There)

Training users to never approve MFA prompts they didn’t initiate is important. But relying solely on user vigilance is a losing strategy. People are human. They get tired, distracted, and annoyed. Your defences should account for that.

Teach users what MFA fatigue attacks look like. Give them a clear process for reporting unexpected MFA prompts. But also implement the technical controls that make fatigue attacks ineffective regardless of user behavior.

6. Anomaly Detection

Your security monitoring should flag unusual MFA patterns. Multiple failed MFA attempts from different geolocations. A sudden spike in push notifications for a single user. An approved MFA prompt at 4 AM from a location where the user has never logged in before.

These patterns are detectable with the logging capabilities built into most modern identity platforms. The question is whether anyone’s watching.

What to Do Right Now

If I had to prioritise, here’s my short list:

1. Enable number matching on your MFA system. This eliminates the simplest form of MFA fatigue overnight.
2. Review your MFA provider’s settings for rate limiting, context display, and anomaly alerting. Most providers offer these features — they’re just not always enabled by default.
3. Start planning a move to phishing-resistant MFA for high-value accounts (IT admins, executives, finance teams). FIDO2 keys cost $25-50 each. That’s a trivial investment compared to the cost of a breach.
4. Send a company-wide communication explaining MFA fatigue attacks and what to do if employees receive unexpected prompts: deny them and report immediately.

If you’re exploring business AI solutions for your security operations, look specifically at tools that use machine learning to detect anomalous authentication patterns — they can catch MFA fatigue attacks in progress and automatically block further attempts.

MFA Is Still Worth It

I want to be clear: MFA fatigue attacks don’t mean MFA is broken. MFA remains one of the most effective security controls available. The problem isn’t MFA itself — it’s specific implementations that don’t account for the human factor.

Push notifications were designed for convenience. That convenience created an attack surface. The solution isn’t to abandon MFA — it’s to implement it more thoughtfully.

Number matching, phishing-resistant methods, rate limiting, and user education together make MFA fatigue attacks impractical. The tools exist. The knowledge exists. The question is whether your organisation will implement them before or after an incident forces the issue.

I know which option I’d prefer.