In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
Multi-factor authentication (MFA) is supposed to keep your accounts safe, but when you’re hit with prompt after prompt, it gets easy to stop paying attention. That’s when mistakes happen. Hackers know this, and they’ve started using it to their advantage through a tactic called MFA fatigue.
In this article, we’ll break down how too many security checks can easily become a vulnerability.
Key Takeaways
- When people get too many MFA prompts, they start hitting “approve” without really thinking.
- Hackers take advantage of that with push bombing, flooding users with requests until one gets through.
- If you’re getting annoyed, zoning out, or putting off tasks to avoid logging in, that’s MFA fatigue.
- You can ease the pain with smarter tools – like adaptive MFA, fewer prompts, or single sign-on.
- Teaching people what to look out for and giving more info in each prompt makes a big difference.
- Show Full Guide
What Happens When MFA Turns Against You
MFA is supposed to keep you safer. Instead of just entering a password, you also have to do something like approve a push notification or enter a code from your phone. It adds an extra step, which makes it harder for someone to break into your account even if they have your password.
But when those prompts start piling up, things can get annoying fast. That’s where MFA fatigue comes in. It’s what happens when you’re hit with so many authentication requests that you stop paying close attention. You might feel frustrated, distracted, or just tired of dealing with it.
Hackers know this. One trick they use is called push bombing (also known as MFA spamming). Basically, they get your login details and then flood you with MFA requests, hoping you’ll eventually approve one just to shut them up. And sometimes, that’s all it takes.
Attackers Love a Tired User
Hackers don’t always break in by force. Sometimes, they just wait for someone to get tired and make a mistake. That’s what happens with push spamming or MFA prompt bombing, when an attacker already has your login info and starts sending you nonstop MFA requests. The hope is that you’ll get annoyed or distracted and hit “approve” just to make it stop.
That’s exactly what happened during the Uber breach in 2022. The attacker got a contractor’s credentials and then flooded him with MFA prompts for over an hour. Eventually, they messaged the guy pretending to be IT support and said something like, “Hey, can you just approve one so we can fix it?” He did. And just like that, they were in.
Part of what makes these fatigue attacks work is how little information most MFA prompts give you. Usually, it just says something vague like, “Are you trying to log in?” but it doesn’t tell you from where or what device. If you’re tired or not paying close attention, it’s easy to click without thinking. That’s what attackers are counting on.
The Warning Signs You Shouldn’t Ignore
MFA fatigue usually creeps in slowly, but the signs are easy to spot once you know what to look for:
🚩You’re approving prompts without thinking: You get so used to seeing them that you just tap “approve” automatically, even if you’re not trying to log in.
🚩You feel annoyed every time your phone buzzes: Each prompt feels more like a nuisance than a security check, and the frustration builds throughout the day.
🚩You start avoiding certain tasks: You put off opening email or logging into a tool because you don’t want to deal with the extra step. So it waits… and sometimes never gets done.
🚩You’re constantly getting pulled out of your workflow: Even short interruptions can break your focus. When you’re getting hit with multiple prompts a day, it gets harder to stay productive.
🚩You dread the whole process: Just the thought of another login prompt makes you groan a little. It starts to feel like a barrier to getting anything done.
What’s Really Wearing Us Down
MFA fatigue is a slow-build issue, like when a lot of small things pile on you over time. Here’s what’s really dragging people down:
None of this means MFA is bad, of course. It’s quite necessary. It just means the way it’s set up can backfire if we’re not careful.
One Click Away From a Breach
When you’re hit with MFA prompts all day, it’s only a matter of time before you slip. Maybe you’re busy. Maybe you’re tired. You get another notification and, without thinking, you tap “approve.” Just like that, someone else is in.
That’s what makes prompt bombing so effective. Attackers don’t need to be clever; they just need you to be worn down. The same goes for phishing. When you’re already frustrated or distracted, it’s easier to fall for a fake login page or hand over a code without a second thought.
And it’s not just about security. This kind of constant interruption messes with your ability to get things done. It breaks your focus, slows you down, and starts to drag on your mood..
Simple Moves That Make a Big Difference
You don’t need to overhaul everything to reduce MFA fatigue. A few small changes can go a long way.
1. Set Up Smarter MFA Rules
Limit the number of MFA attempts to stop spam, and lock accounts after too many failed tries. Add context to prompts, like device or location info, so users know what they’re approving. Use number matching or similar features that require a bit more attention before clicking.
2. Switch to Better Tools That Reduce Friction
Adaptive MFA checks things like your usual location or device and skips prompts when things look normal. Biometrics like Face ID or fingerprints make login faster. Password-less options like security keys or authenticator apps cut down on prompts. Continuous authentication can even verify you in the background by tracking behavior like typing or mouse movement.
3. Use Single Sign-on to Cut Down on Logins
SSO lets people log in once and access all their work tools without repeated prompts. When everything runs through one trusted system, it’s easier to manage and easier on the user.
What the Big Players Are Doing Right
Some of the biggest tech companies have already made changes to reduce MFA fatigue without weakening security. Here’s what they’re doing:
- Google uses simple push prompts that let users tap “Yes” or “No” instead of entering a code. It’s faster and easier, which makes people less likely to get frustrated or make mistakes.
- Microsoft has pushed for passwordless logins using Windows Hello. Users can log in with a fingerprint or face scan, cutting out both passwords and repeated MFA prompts.
- Slack uses adaptive authentication through Okta. If you’re logging in from a trusted device or location, you may not get prompted at all. But if something seems off, you’ll be asked to verify.
- Uber updated its training after its 2022 breach. Employees now get better guidance on how to spot unusual MFA activity and avoid approving random requests.
- Cisco and AWS both use context-aware MFA. Their systems check factors like device type, location, and behavior to decide whether to prompt the user or not. If everything looks normal, no prompt is sent.
The Bottom Line
MFA is still one of the best ways to protect accounts, but too many prompts can backfire. When users get overwhelmed, they start making mistakes, and that’s exactly what attackers are counting on.
The goal isn’t to get rid of MFA. It’s to make it smarter and less disruptive. A few simple changes, like limiting prompts, using adaptive tools, and training users to stay alert, can go a long way in keeping both security and productivity intact.
