MFA Fatigue

Cyber Hygiene

MFA Fatigue

    Multi‑factor authentication (MFA) is one of the strongest ways to protect your accounts, but attackers have found a new way to abuse it called MFA fatigue. Instead of breaking the technology, they try to wear you down with constant notifications until you make a mistake and tap “Approve.”

    Why MFA fatigue is an advanced attack

    MFA fatigue is not a beginner attack. For it to work, the attacker must already have your correct username and password. This can occur from the following means:

    • A phishing email or fake login page where someone typed their real credentials
    • A past data leak or breach where old passwords were exposed and then reused on work accounts

    Once they have those credentials, they repeatedly try to log in as you. Every attempt sends an MFA prompt to your phone or authenticator app. They are not controlling your phone; they are simply using your stolen details over and over, hoping you will eventually approve one request.

    Think of traditional phishing: attackers send many scam emails and hope that at least one person clicks the fake link. MFA fatigue is similar:

    • Phishing: “Maybe one person will click the link.”
    • MFA fatigue: “Maybe one person will get annoyed or confused and tap Approve.”

    They often send these prompts late at night, during your commute, or while you are in a busy meeting—times when you are more likely to think “This is just a system glitch” and approve it to make the prompts stop.

    For the attacker, that single tap is a big win. It can give them access to your email, internal systems, and files, and may allow them to reset other passwords and move deeper into your organization’s network.

    How to protect yourself

    You do not need to be technical to stop MFA fatigue. A few simple habits are enough.

    Golden rule: Only approve an MFA request if you just entered your password and are logging in right now, on that device, to that app or website. If you did not initiate the login, never tap “Approve.”

    If you keep getting prompts even after pressing “Deny,” treat it as a warning. Change your password as soon as possible.

    If someone calls, emails, or chats saying, “This is IT, please approve the next prompt,” do not do it. Verify using an official company contact or help desk channel first.

    MFA is still a powerful shield for everyone, technical or not. Attackers are just trying to turn your frustration and tiredness into an opportunity. Remember one simple line: “I will only approve what I started.” That mindset turns MFA fatigue from a serious risk into something you can easily block.

    Related Articles

    Beware of Dark Patterns: Hidden Tricks in Online Shopping
    Continue Reading
    AI Scams: When Seeing and Hearing Isn’t Believing
    Continue Reading
    Think Before You Tap: How to Choose Safe Apps for Your Phone
    Continue Reading
    Onetrust Cookie Settings