MFA Fatigue Attacks: How Push Notifications Became a Cybersecurity Risk

Are Push Notifications Putting Your Business at Risk? Understanding MFA Fatigue Attacks

Multi-Factor Authentication (MFA) has been the cornerstone of secure logins for over a decade. It’s the extra step that separates a leaked password from a full-blown data breach - until now.

In 2025, a new type of cyberattack is exposing a major weakness in many MFA systems: push fatigue. Also known as MFA bombing, this tactic relies not on brute force or malware - but on human frustration. And it’s increasingly used to compromise small and mid-sized businesses that thought they were protected.

Let’s unpack how this works, why it’s growing, and what you can do to defend against it.

What is MFA Fatigue and How Does It Work?

Most SMBs today use push-based MFA systems, such as Microsoft Authenticator, Duo, or Okta Verify. These platforms send a push notification to an employee’s phone when a login attempt is made. If it’s legitimate, the user taps "Approve." If it’s not, they ignore it.

Simple enough - until attackers flip the script.

Here’s what happens in an MFA fatigue attack:

  1. A cybercriminal acquires valid login credentials (often via phishing or dark web leaks).
  2. They initiate repeated login attempts, each triggering a push notification on the employee’s phone.
  3. Overwhelmed or annoyed, the employee taps “Approve” just to make it stop.
  4. The attacker gains full access to the business’s systems—without ever cracking a password.
MFA_01

This method bypasses traditional MFA protections by targeting the weakest link: human behavior. Repetition, urgency, and inconvenience create the perfect conditions for a mistake.

The Rise of MFA Fatigue: Why Now?

The strategy became widely known in 2022 when a major breach at Uber was traced to this exact method. An attacker spammed an employee with push requests, then posed as IT support and convinced them to approve one.

Since then, the tactic has only grown. According to a 2023 report from CISA (U.S. Cybersecurity and Infrastructure Security Agency), MFA fatigue was observed in multiple successful attacks on U.S. infrastructure and private-sector companies.

Stat: Over 60% of all reported phishing-related breaches in 2023 involved MFA bypass techniques, with push fatigue being among the top 3 methods.
(Verizon 2024 Data Breach Investigations Report)

Why the sudden surge? Because push-based MFA has become the default setting for many businesses - especially SMBs looking for simple, low-cost solutions. Unfortunately, convenience also opens the door to new attack vectors.

Why SMBs Are Especially Vulnerable

Small and mid-sized businesses often have fewer resources to monitor identity and access threats. They’re also less likely to have custom security protocols or internal IT staff trained to detect these types of attacks.

Other reasons SMBs are at risk:

  • Most don’t limit the number of push requests a user can receive
  • Employees are rarely trained to treat repetitive MFA notifications as a red flag
  • Legacy apps often don’t support modern MFA types like biometric verification or number matching
  • There's a general lack of awareness about this emerging threat model
MFA_02

Attackers know this. That’s why they’re targeting the small fish - not just the big ones.

How to Defend Against MFA Fatigue Attacks

The good news is that defending against MFA fatigue doesn’t require ripping out your entire authentication system. But it does require rethinking your MFA configuration and layering in smarter safeguards.

1. Upgrade to Number Matching or Biometric MFA

Instead of simply tapping “Approve,” newer systems ask users to enter a code shown on their login screen or require fingerprint/face verification. This breaks the attacker’s ability to “spam and win.”

Microsoft and Duo have both rolled out number matching by default in 2023 to combat push fatigue.

Stat: Organizations using number matching saw a 98% drop in successful MFA fatigue attacks.
(Source: Microsoft Security Blog)

2. Enable Push Rate Limiting and Timeouts

Most enterprise MFA platforms now support controls that limit the number of push notifications allowed per minute or hour. Use these features to minimize the risk of spamming.

3. Train Employees to Recognize the Signs

Awareness is everything. Employees should be taught to recognize unusual login patterns, repeated notifications, and social engineering tricks (like fake IT calls). These red flags should trigger incident reports, not approval taps.

4. Use Contextual Access Policies

Modern access management tools can detect anomalies - such as login attempts from unrecognized locations, devices, or time zones - and block or escalate authentication automatically.

MFA_03

ThinkSwift’s Cyber360 Identity Protection

We help Canadian SMBs move beyond outdated MFA configurations with real-world identity security solutions.

We don’t stop at installation - we build a full access control strategy that includes:

  • Conditional MFA enforcement
  • Number matching and biometric authentication
  • Microsoft 365 and Google Workspace integration
  • Rate limiting and behavior analytics
  • Continuous dark web monitoring for leaked credentials
  • End-user training for phishing, MFA fatigue, and credential hygiene

And because we're also your cyber insurance partner, we help you qualify for stronger protection with proven, enforceable security practices - something insurance underwriters increasingly require.

Your MFA Strategy Is Only as Strong as Its Weakest Tap

Don’t let one wrong tap compromise your business.

The reality is that threat actors are evolving. So should your defenses. MFA fatigue attacks prove that cybersecurity is no longer just a technical issue - it’s a behavioral one. Businesses that recognize this early will avoid costly breaches and remain resilient in an increasingly sophisticated threat landscape.

Let's Connect
Book a Call

Recent Blogs

Dark Social in 2025: Unlocking Hidden Leads and Brand Influence

Dark Social in 2025: Unlocking the Invisible Goldmine in Your Marketing Funnel You’ve done the work. Your blog is live, your ads are targeted, your…

Read More

Choosing the Right Cloud Solution: Hybrid, Public, or Private?

How to Choose the Right Cloud Solution for Your SMB Cloud computing is no longer optional – it’s the operational backbone of modern business. From…

Read More

Cyberattack Costs Expose the Risks of Relying Only on Insurance | ThinkSwift

When Cyber Insurance Isn’t Enough: A Real-World Wake-Up Call for Businesses In early 2025, the City of Hamilton in Canada suffered a severe cyberattack that…

Read More

Categories