Multi-Factor Authentication (MFA) has been our cybersecurity superhero for years, reducing the risk of compromise by 99.2 percent. But here’s the plot twist nobody saw coming: attackers have figured out how to turn this security strength into a weakness.
Welcome to the world of MFA fatigue attacks – and they’re spreading faster than you might think.
In September 2022, Uber learned this lesson the hard way. A hacker didn’t need sophisticated malware or elaborate phishing schemes. Instead, they purchased stolen employee credentials from the dark web and then did something surprisingly simple: they bombarded the employee with MFA approval requests for over an hour.
Eventually, the frustrated employee clicked “approve” just to make it stop.
Game over. The hacker was in.
Think about it – we’ve all been there. Your phone buzzes with a notification, then another, then another. That little voice in your head says “just make it stop.”
That’s exactly what attackers are counting on. Microsoft reports that MFA fatigue attacks have increased tenfold, and it’s easy to see why they’re so effective:
With Microsoft blocking over 7,000 password attacks per second and seeing 600 million identity attacks daily, the scale of this threat is massive.
When MFA fatigue attacks succeed, the damage goes far beyond a simple data breach. IBM’s 2024 report shows the global average cost of a data breach hit $4.88 million – a 10% jump from the previous year.
But the real kicker? The Verizon Data Breach Report found that 82% of breaches involve the human element. Your employees aren’t just users – they’re often the final line of defence.
For smaller organisations, charities, and non-profits, a successful attack doesn’t just mean financial loss. It means shattered donor trust, regulatory penalties, and potentially devastating operational disruption.
The good news? You don’t need to abandon MFA – you just need to configure it smarter:
Instead of simple “approve/deny” buttons, require users to enter a number displayed on their login screen. This small change makes accidental approvals nearly impossible.
Configure your systems to automatically block excessive authentication requests. If someone’s getting 10 MFA prompts in 5 minutes, something’s wrong.
Reduce unnecessary MFA prompts by setting location and device-based policies. Known devices from familiar locations shouldn’t trigger constant authentication requests.
Most security training focuses on suspicious emails. Make sure your team knows about MFA fatigue attacks and understands they should never approve authentication requests they didn’t initiate.
FIDO2 security keys and Windows Hello for Business are much harder for attackers to exploit through fatigue tactics.
MFA isn’t broken – but it’s not foolproof either. CISA and Microsoft provide detailed guidance on implementing these protective measures, yet many organisations are still running with default configurations that leave them vulnerable.
The attackers already know about MFA fatigue. The question is: do you?
Don’t wait for your next security review to address this gap. The configuration changes needed to prevent MFA fatigue attacks can often be implemented quickly – but only if you know what to look for.
Is your organisation’s MFA setup creating more security gaps than it’s closing? A comprehensive MFA resilience audit can help you identify vulnerabilities and implement protective controls before attackers find them first.