.png&w=384&q=75){kind=small}
What is MFA Fatigue?
MFA fatigue is an attack where a criminal who already has your password repeatedly triggers multi-factor authentication prompts — the push notifications on your phone — until you approve one just to make them stop. It exploits the very security measure designed to protect you by turning it into an annoyance that people instinctively dismiss. This technique has been used in several high-profile breaches.
How a MFA Fatigue Attack Works
Obtain valid credentials
The attacker first acquires a working username and password through credential stuffing, phishing, or purchasing them on the dark web.
Trigger repeated MFA prompts
They attempt to log in over and over, causing the target's phone to buzz with authentication approval requests — sometimes dozens in a row, often late at night or early in the morning.
Wait for the user to approve
Eventually, the exhausted or confused user taps "Approve" — either thinking it's a system glitch, trying to stop the notifications, or accidentally accepting while half asleep.
Access the account
That single approval gives the attacker full access to the account, bypassing the multi-factor protection that was supposed to be the last line of defense.
Real-World Example
A major ride-sharing company was breached after an attacker bombarded a contractor with MFA push notifications for over an hour. The contractor eventually approved one. The attacker then accessed internal systems, including the company's cloud storage and source code repositories, causing significant reputational damage.
How AiVERSARY Detects MFA Fatigue Risk
AiVersary's reports identify the prerequisite for MFA fatigue attacks: exposed credentials. By flagging which employee accounts have leaked passwords and are therefore vulnerable to this technique, the report helps you prioritize password resets and upgrade to phishing-resistant MFA methods before attackers can exploit them.
Is your organization exposed to mfa fatigue?
AiVERSARY scans your public footprint and identifies the exact data attackers would use against you. $499 per report.
Get Your Threat ReportRelated Terms
Credential Stuffing
Credential stuffing is when attackers take usernames and passwords leaked from one breach and automatically try them on other services. Because most people reuse passwords, a breach at a shopping site or social network can give attackers working credentials for your corporate email, VPN, or cloud platforms. It is automated, fast, and alarmingly effective.
Social Engineering
Social engineering is the practice of manipulating people into giving up confidential information or taking actions that compromise security. Instead of breaking through firewalls and encryption, attackers exploit trust, authority, urgency, and helpfulness — basic human instincts that no software patch can fix. It is the foundation of nearly every major breach.
Tenant Compromise
Tenant compromise is when an attacker gains administrative control over your organization's cloud environment — your Microsoft 365 tenant, Google Workspace, or AWS account. Unlike stealing a single employee's password, this gives the attacker the keys to everything: every email, every file, every application, and every user account in your cloud infrastructure. It is the most devastating outcome of a successful credential attack.