MFA Fatigue
MFA Fatigue is a condition where users are prompted for MFA verification repeatedly or unexpectedly, leading them to approve prompts without thinking or to disable MFA entirely. It is a vector for account takeover where attackers weaponize the authentication system itself.
# WHAT TEAMS RUN INTO
- —
Attackers use MFA fatigue as an attack method. An attacker compromises a password and submits repeated login attempts, triggering MFA prompt after prompt, until the user approves one out of frustration without checking what they are approving.
- —
Legitimate systems generate MFA fatigue too. Risk engines trigger MFA on every unusual login, legitimate users travel frequently and look unusual, and legitimate admins need frequent MFA approvals for legitimate access.
- —
No good mechanism exists to distinguish attacker fatigue from legitimate fatigue. Users cannot refuse a prompt because the prompt might be legitimate, and systems cannot tell whether a user is approving based on recognition or exhaustion.
# WHY IT MATTERS
MFA Fatigue shows that authentication is not just a technical problem — it is a human factors problem. An authentication system that triggers too many legitimate prompts trains users to ignore all prompts, turning authentication into a reflex instead of a security control. The solution is not better MFA — it is smarter authentication systems that distinguish between legitimate use patterns and attacks, so users only see MFA when they actually need it.