For the best web experience, please use IE11+, Chrome, Firefox, or Safari

Products

Identity Governance and Administration

Log Management

View All Products

Solutions

Achieve identity-centric cybersecurity to protect the people, applications and data that are essential to business

All Solutions

All Integrations

Behavior Driven Governance

Gain full visibility into which access rights are being used, how and by whom. Enforce the principle of least privilege and reduce vulnerabilities and licensing costs.
Cyber insurance

Level up your identity security and satisfy the demands of your cyber insurance coverage.
Privileged access governance

Close the gap between privileged access and standard user identities across the enterprise.
Advanced Authentication

Fortify your defenses with strong and adaptive authentication, preventing unauthorized access to your most critical systems, applications and sensitive data.
Enhance log management

Reliably collect, store and manage logs from hundreds of systems across the enterprise.
Support digital transformation

Take measured steps to ensure digital transformation initiatives stay in line with identity security best practices.
Drive operational efficiencies

Streamline process, reduce errors and minimize complexity associated with managing identities.

Support & Services

Partners

About

Resources

Blogs

Communities

Free Trials Request Pricing

What is MFA fatigue

MFA fatigue is a type of social engineering attack where malicious actors bombard a user with repeated multi-factor authentication (MFA) requests, hoping that they will approve one out of frustration or exhaustion. MFA fatigue specifically targets the human element of cybersecurity, i.e. it tries to trick the user rather than break into the system directly.

How does an MFA fatigue attack work?

Here’s how a typical MFA fatigue attack unfolds:

The attacker gets their hands on the user's primary login credentials (e.g. username and password). This is a prerequisite for an MFA fatigue attack, as the attacker needs to have some level of access to trigger the MFA prompts. They may obtain these credentials through phishing, data breaches, malware or a vulnerability in the authentication system.
With the stolen credentials, the attacker tries to log into the target system. However, the system requires MFA to proceed.
The attacker generates a series of MFA requests to the target’s phone, email or authenticator app. They may do this by:

Submitting multiple login attempts with incorrect passwords.
Using automated scripts to generate MFA requests.
Exploiting vulnerabilities in the MFA system.

The target user receives a constant stream of MFA notifications in a short period, and becomes frustrated and/or anxious. This state of mental exhaustion makes them more susceptible to committing a mistake.
Out of annoyance, confusion or simply a desire to stop the notifications, the user may eventually approve one of the MFA requests.
As soon as the user approves the request, the attacker gains access to the target account or system.

What do hackers do after a successful MFA fatigue attack?

The MFA fatigue attack is aimed specifically at the MFA level of a layered access control system, having gained login credentials, and trying to access the systems protected. By linking together the pieces of the attack chain, the MFA bypass enables hackers to:

Steal personal or confidential data stored in the account.
Exploit vulnerabilities (or lack of additional controls) to gain access to privileged access. This would allow them to move laterally within the network and authenticate themselves to even more valuable systems/data.
Deploy malicious software to further infiltrate or damage the system.
Set up hidden access points to maintain remote control over the system.
Send emails or messages impersonating the user to deceive others and propagate further attacks.

Types of MFA fatigue attacks

In addition to the basic MFA attack we discussed above, there are other variations that malicious actors use to exploit human psychology and bypass MFA security. We’ll discuss some of them below:

An urgent threat

Attackers create a sense of urgency by sending MFA requests with messages like "Your account will be locked if you don't approve this request immediately." This tactic preys on the user’s fear of losing access to their account.

Masquerading as a trusted source

They disguise themselves as a trusted entity, like a colleague, manager or IT support, to convince the user to approve the MFA request. For example, “Hi, this is John from IT. We need you to approve this MFA request to update your security settings."

Timing the attack

They may time their malicious MFA requests to coincide with the user’s normal login times or during periods of high activity. This makes it more likely for the user to unknowingly approve a malicious request, as it blends in with their usual workflow.

Real world examples of MFA fatigue attacks

There are several high-profile incidents that highlight the effectiveness of MFA fatigue attacks. Here are some examples:

Cisco

In May 2022, an attacker used a combination of MFA fatigue and sophisticated vishing (voice phishing) techniques to compromise a Cisco employee’s account. The employee was bombarded with a relentless series of voice calls and push notifications for login approval. Eventually, they succumbed to the attacker’s persistence, and approved a fraudulent MFA request, granting the attacker access to the Cisco network.

Uber

In September 2022, a malicious actor stole the credentials of a contractor at Uber. They then repeatedly triggered MFA requests until the user, overwhelmed by the constant notifications, approved one. As a result, the malicious actor was able to access several of Uber’s internal systems, and even disrupt some of their services.

Apple

In 2024, Apple customers fell victim to MFA fatigue attacks. Hackers managed to bypass security measures, including CAPTCHA challenges and rate limits on the "forgot password" page, to bombard users with repeated MFA requests.

Proven methods that prevent MFA fatigue

MFA fatigue is a serious threat, but there are steps that organizations can take to mitigate the security risks. For example, they can:

Use adaptive authentication
Implement security measures that consider additional context beyond just the login attempt. This can include location, time of day, device fingerprint and behavioral analytics to identify anomalies and flag suspicious login attempts.
Limit MFA request attempts
Set a threshold for the number of MFA requests that can be sent in a short period. If this limit is reached, temporarily block subsequent requests and alert the user and IT team.
Use FIDO2 authentication
Leverage FIDO2 authentication that uses physical security keys or biometric data. FIDO2 methods are more resistant to phishing and MFA fatigue attacks, as they require physical possession or biometric verification.
Educate users
Regularly train users on the importance of MFA and the tactics used in MFA fatigue attacks. Aware users are more likely to recognize malicious MFA requests.

Conclusion

MFA fatigue is a serious security risk, but by understanding the attackers’ tactics and implementing the preventative measures outlined above, you can significantly reduce the risk of stolen data and compromised systems.

Products

Privileged Access Management

Access Management

Identity Governance and Administration

Active Directory Management

Log Management

Solutions

Behavior Driven Governance

Cyber insurance

Privileged access governance

Advanced Authentication

Enhance log management

Support digital transformation

Drive operational efficiencies