MFA Fatigue Attacks: What They Are and How to Stop Them

How MFA fatigue works

Standard push-based MFA (like Microsoft Authenticator or Duo with simple approve/deny prompts) has a fundamental weakness: it relies on the user knowing that they initiated a login. Attackers exploit this by:

1. Obtaining valid credentials (via phishing, password spray, or credential dump)
2. Repeatedly attempting to sign in, triggering push notification after push notification
3. Sending the target messages claiming to be IT support: "We're updating your account, please approve the login request"
4. Waiting until the user approves — from fatigue, confusion, or social engineering

Why standard push MFA is vulnerable

The approve/deny prompt gives users no context about what they're approving. A user who receives 20 push notifications in 10 minutes at 11pm has no way to distinguish between "someone is attacking my account" and "something is broken with our SSO". Many just tap approve to make it stop.

The fix: enable number matching

Number matching is the fastest, no-cost mitigation for push-based MFA fatigue. Instead of a simple approve/deny prompt, the authenticator app shows a 2-digit number that the user must type — and the sign-in page shows a matching number. An attacker triggering requests can no longer be accidentally approved because the user has to actively read and type a number they can only see if they initiated the login.

Enable number matching in Microsoft 365

1. Go to Entra ID → Authentication methods → Microsoft Authenticator
2. Click Configure
3. Under "Require number matching", set to Enabled for all users
4. Also enable Show application name in push and passwordless notifications and Show geographic location in push notifications

As of 2025, Microsoft has enabled number matching by default for new tenants, but many existing tenants still have it off. Check yours.

Enable number matching in Google Workspace

Google Workspace doesn't use push-based MFA in the same way — Google Prompt requires user interaction that already includes contextual information. However, upgrading to Security Keys (FIDO2) or Google Passkeys is the phishing-resistant step up:

1. Admin console → Security → Authentication → 2-Step Verification
2. Under "Allowed second factors", enable Security Key
3. Optionally enforce for high-risk users (admins, finance, executives)

Going further: phishing-resistant MFA

Number matching stops fatigue attacks but not adversary-in-the-middle (AiTM) phishing — where attackers proxy authentication in real time and steal session tokens even when MFA is passed. The only way to stop AiTM is phishing-resistant MFA:

• FIDO2 hardware keys (YubiKey, Google Titan) — bound to the site origin, can't be proxied
• Passkeys — same cryptographic binding, built into modern devices
• Windows Hello for Business — device-bound, phishing-resistant, no additional hardware needed
• Certificate-based authentication (CBA) — enterprise environments with PKI

How to detect MFA fatigue attempts in your logs

In Entra ID → Sign-in logs, filter for:

• Authentication result: MFA denied, user declined the request
• Multiple failed MFA attempts from the same IP in a short window
• Sign-in attempts at unusual hours (middle of night for the user's timezone)
• MFA fraud alerts — users can report suspicious push requests in the Authenticator app

A pattern of dozens of MFA denials followed by a single approval is a strong indicator of a successful fatigue attack.