Multi-Factor Authentication (MFA) is a security feature which requires you to provide multiple forms of verification when signing in to online resources. An example is when you receive a push notification via an authenticator app on your phone, asking you to simply approve or deny an authentication request. However, as reliance on MFA increases, so does a growing concern — MFA fatigue!
MFA fatigue occurs when users become frustrated or overwhelmed by frequent MFA prompts — especially in corporate environments — leading to accidental or unauthorized approvals.
When a bad actor obtains your login credentials and a push notification is the second factor, they can try to bypass MFA via push bombing — that is, repeatedly sending MFA push notifications until you unwittingly approve the request.
Mitigating MFA Fatigue
The following are some of the ways in which MFA fatigue can be mitigated.
User Education
Continue to educate users about the risks of MFA fatigue and the importance of carefully reviewing each request to avoid unauthorized approvals.
Enable number matching
With this method, users are presented with a number on their login screen which they must match to a corresponding number displayed on the authenticator app. This simple step reduces the likelihood of accidental approvals because users are actively engaged with the authentication process.
Allow authentication from trusted networks or managed devices only
Bad actors typically bypass MFA from unknown devices and networks, so it’s important for IT or security Admins to implement security policies to allow authentication from trusted networks or managed devices only.
Use hardware-based MFA
Hardware tokens or security keys (e.g., YubiKeys), provide a higher level of security than SMS or app-based solutions. These physical devices make it harder for unauthorized access to occur.
MFA fatigue is a serious issue that can inadvertently lead to security breaches if users approve unauthorized requests without proper scrutiny. However, by implementing solutions like number matching, conditional access policies, hardware-based MFA and better user education, organisations can minimize the risk of accidental approvals.
French 
English