MFA fatigue, also called push notification fatigue, is an attack where an attacker sends repeated multi-factor authentication push notifications to a target's phone until the employee approves one out of frustration or habit. The attacker has already obtained valid credentials (from phishing, credential stuffing, or password spray attacks) and uses those credentials to request account access repeatedly.
What is MFA Fatigue?
MFA fatigue, also called push notification fatigue, is an attack where an attacker sends repeated multi-factor authentication push notifications to a target's phone until the employee approves one out of frustration or habit. The attacker has already obtained valid credentials (from phishing, credential stuffing, or password spray attacks) and uses those credentials to request account access repeatedly. Each failed login attempt generates another MFA push notification. After dozens of notifications, the target stops reading each one carefully and approves the next one, inadvertently granting the attacker access.
How MFA Fatigue Attacks Work
The attack sequence is straightforward. First, an attacker obtains valid credentials for a target account through credential harvesting or breach data. Second, they attempt to log in using those credentials, triggering an MFA push notification to the target's phone. Third, when the target denies the notification, the attacker immediately attempts login again, generating another push notification. This repeats dozens of times in rapid succession, often at inconvenient hours. Fourth, after receiving dozens of notifications (frequently at 2 AM), the exhausted employee either approves a notification to stop the alerts or fatigue breaks their judgment. Fifth, the attacker gains account access and can steal data, move laterally, or establish persistence.
Real-World MFA Fatigue Incidents
The Uber breach in 2022 demonstrated MFA fatigue at scale. The Lapsus$ group obtained Uber credentials, initiated repeated MFA push notifications to an Uber contractor's phone, and the contractor approved a notification out of frustration at 2 AM. With access to the contractor's account, Lapsus$ moved through Uber's network, accessed production databases, and stole source code and business data. Mandiant reported similar attacks against financial services firms in 2021, where attackers sent hundreds of MFA prompts in short bursts specifically timed for late night, when approval decisions become less careful. This attack cost Uber millions in response, recovery, and notification obligations.
Why MFA Fatigue Exploits Human Behavior
MFA fatigue succeeds because it weaponizes legitimate security notifications against human behavior and decision-making fatigue. Security systems assume users will carefully review each prompt and deny unauthorized access attempts. In reality, after 50 identical notifications, human attention collapses: the alert becomes background noise, and approval becomes habitual response instead of conscious security decision. Decision fatigue (the degradation in decision quality after many successive decisions) is a documented cognitive phenomenon. Attackers exploit this by compressing notifications into short time windows, forcing rapid decision-making that exhausts cognitive resources. The attack also creates time pressure and emotional stress (interrupted sleep), which further impair judgment.
How to Prevent MFA Fatigue
Modern MFA methods mitigate fatigue attacks through design. Number-matching (the user must match a number shown on the login screen to the number in the push notification) eliminates automatic approval, because an attacker's push notifications won't contain the correct number. FIDO2 hardware keys provide cryptographic proof of authentication location, making unsolicited push notifications impossible. These methods also eliminate credential harvesting value because stolen passwords alone cannot authenticate without the hardware key or matching number. Organizations should enforce password-less authentication (FIDO2 keys) for sensitive accounts rather than relying on push notification approval. For accounts still using push notifications, implement rate limiting (block login attempts after 3 failures in 10 minutes) to stop rapid notification bursts. Train employees that approving an unexpected MFA prompt is a security incident, not a nuisance to tolerate.
Frequently Asked Questions
Can MFA fatigue happen with hardware security keys?
No. Hardware keys like FIDO2 don't send push notifications and require the physical key to authenticate, making MFA fatigue impossible. This is why FIDO2 is resistant to fatigue attacks.
How many push notifications does it typically take?
The Lapsus$ attack on Uber required multiple notifications over a period of time until one was approved. There's no fixed number, as it depends on the target's tolerance and timing, but attackers send dozens in short bursts to maximize fatigue.
If an employee approves an MFA prompt they didn't request, is the account compromised?
Yes. An approved MFA prompt grants the attacker with valid credentials access to the account. This should be treated as a credential compromise incident immediately.
Why don't companies just use number-matching for all MFA push notifications?
Many are moving to number-matching now, but legacy systems and some vendors didn't implement it initially. Organizations should prioritize number-matching MFA or hardware keys (FIDO2) for any sensitive accounts.