By Joseph Khalil
So, what exactly is MFA fatigue?
MFA fatigue occurs when an attacker already has your password, most commonly obtained through social engineering, particularly phishing. The attacker repeatedly attempts to log in to your account, triggering a flood of MFA prompts on your device.
These repeated notifications can wear you down through annoyance, confusion, or exhaustion. As the prompts continue sometimes late at night or when you’re busy, like waiting in line for your favorite latte at Starbucks you might eventually tap “Approve” just to stop them, assuming it’s a glitch or a routine authentication check.
Once a single prompt is approved, the attacker gains access to the account.
Another example involves attackers contacting the victim while pretending to be IT support and asking them to approve the authentication request. This is a form of social engineering known as pretexting. In many cases, the attacker already obtained the victim’s password through phishing. According to the Cyber Security Breaches Survey 2025, phishing is involved in 85% of cyber incidents affecting businesses, which is often how attackers gain the credentials needed to launch an MFA fatigue attack.
When you are asleep, they come
A middle-of-the-night attack, combined with social engineering, exploits two things at once: fatigue and trust.
These attacks are effective because they target people when they are least alert and most likely to make a quick decision. Imagine waking up in the middle of the night to multiple authentication prompts on your phone. Half awake, you may approve the request just to make the notifications stop.
It sounds like the plot of a Stephen King novel, but MFA fatigue attacks happening overnight are a very real tactic used by attackers.
Don’t believe me? – take a taxi ride below.
The Uber MFA Fatigue Attack
One of the most well-known MFA fatigue attacks happened in 2022 at Uber.
The attacker first obtained an employee’s credentials through a phishing campaign. Once they had the username and password, they began repeatedly attempting to log in to the company’s VPN. Each login attempt triggered an MFA push notification to the employee’s phone.
The attacker didn’t stop after one attempt. They kept sending authentication requests over and over again, effectively spamming the employee with MFA prompts.
Eventually, the attacker took the social engineering step further. They contacted the employee through messaging and pretended to be a member of the IT support team, claiming the MFA prompts were part of a system check and asking the employee to approve one of them.
The employee approved the request.
That single approval gave the attacker access to internal systems. From there, the attacker was able to access administrative tools and internal resources and even post messages in company communication channels.
The incident demonstrated a critical lesson for security teams: MFA can be bypassed when attackers exploit human behavior rather than technology.
Why do companies still use MFA everywhere?
Despite these risks, organizations still rely heavily on MFA because it remains one of the most effective ways to protect accounts.
Passwords alone are easily stolen, reused, or guessed. Modern cyberattacks are highly automated, and MFA provides an additional security layer that blocks many of these attacks. Other reasons are related to regulations in industries such as finance and healthcare require that require MFA. It is also far cheaper than dealing with data breach. Many organizations still run legacy systems that cannot support modern passwordless authentication. Quite simply, MFA is a strong contender that acts as a bridge toward stronger identity security.
However, statistics show that MFA is not a silver bullet. Intelogy reported that in 2025, 56% of organizations that experienced a breach had MFA enabled, often because attackers bypassed it through social engineering or credential theft.
The security trade-off: protection vs exhaustion
The challenge is balancing security with usability.
More MFA prompts can increase security, but they can also lead to prompt fatigue, where users begin approving requests automatically without thinking. When that happens, the protection MFA provides is weakened.
Many organizations accept this trade-off because removing MFA would expose them to a far greater risk. At the same time, not all companies have implemented smarter authentication systems yet, and legacy applications often limit what security controls can be deployed.
The future of MFA
The good news is that identity security is evolving.
Modern identity platforms are moving toward adaptive authentication, where MFA is only triggered when something appears risky. For example, Microsoft Entra ID can trigger MFA when a risky sign-in is detected through conditional access policies.
Organizations are also adopting phishing-resistant MFA, such as FIDO2 security keys, which cannot be approved remotely by an attacker.
So what now?
The solution is not to remove MFA but to use it more intelligently while reducing unnecessary friction for users. Organizations should focus on minimizing MFA fatigue while maintaining strong protection by implementing phishing-resistant authentication methods such as FIDO2 security keys, which are far more resistant to credential theft. They should also adopt adaptive MFA policies that trigger additional authentication only when risk is detected, rather than prompting users every time they log in. User education is equally important, ensuring employees understand MFA fatigue attacks and can recognize suspicious authentication prompts. In addition, security teams should continuously monitor authentication logs for signs of MFA spam or repeated login attempts that could indicate an attack. Ultimately, the goal is not to eliminate MFA but to apply it more intelligently, reducing unnecessary prompts while still maintaining strong identity security.
MFA fatigue attacks don’t break security systems — they break human patience.
Cloud Security blog 