Multi factor authentication has been one of the most effective security investments of the last decade. The protection against credential stuffing, phishing and password reuse has been real and measurable. The attackers have not stopped looking for ways around the additional factor, and one of their most successful techniques relies on a flaw not in the technology but in the user response to it. MFA fatigue attacks have become routine in modern intrusions, and the standard MFA deployment does not defend against them.
How The Attack Actually Works
The attacker already has a valid password, usually purchased from a credential dump or recovered through phishing. They use it to attempt authentication, which triggers an MFA prompt to the legitimate user. They keep attempting. The user receives prompt after prompt, increasingly frustrated, and eventually approves one to make the prompts stop. The attacker walks in with full credentials and a valid MFA approval. The technical layer worked exactly as designed. The user gave away the keys. A focused Azure pen testing engagement should test for this scenario explicitly.
Number Matching And Context Reduce Risk
Modern MFA implementations support number matching, where the prompt asks the user to confirm a specific number that appears on the sign-in screen rather than simply approve or deny. This breaks the fatigue attack pattern because the user has to actively work to approve the wrong sign-in. Many platforms also support contextual information in the prompt, showing the location and application requesting authentication. Both features are widely available. Both are off by default in many tenants.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
The MFA fatigue incidents I have reviewed all shared a pattern. The user received dozens of prompts in a short period. The prompts contained no context beyond the request to approve. After enough interruptions, the user tapped approve to stop the stream. The platforms involved supported number matching. The customers had not enabled it.
Help Desk Procedures Need Hardening
Help desk procedures around account recovery are a common attacker target. The attacker calls in, claims to have lost access, provides plausible information and convinces the agent to reset credentials or disable MFA. Help desk staff need clear scripts, mandatory verification steps and the authority to refuse requests that do not meet the verification bar. The procedural hardening is as important as the technical controls. Worth running social engineering exercises specifically targeted at the help desk on a periodic basis. The team handles these calls every day and benefits from realistic practice resisting carefully constructed pressure tactics under conditions that mirror the live workload.
Phishing Resistant Factors Are The Next Step
FIDO2 hardware keys and platform authenticators that bind authentication to a specific origin remove the MFA fatigue vulnerability entirely. The user cannot accidentally approve a remote sign-in because the authentication is bound to the device they hold and the site they are physically interacting with. The migration to phishing resistant factors is one of the highest value security projects available to most organisations. Pair the migration with a best pen testing company that exercises the resilience of the new factors and the result is significantly stronger than push based MFA ever was.
MFA was a good first step. The threat has moved. The defence needs to move with it. MFA was a major step forward and remains valuable. Worth keeping pace with the techniques that have evolved to defeat the older implementations. Authentication is the foundation that the rest of the security model depends on. The teams that invest properly in authentication tend to find that downstream security investments produce better returns, because the foundation is actually solid.