Multi-factor authentication (MFA) was designed to stop attackers logging in with stolen passwords alone. But attackers have adapted. Instead of stealing the second factor, they pressure users into approving it themselves.<\/p>\n\n\n\n
If your organisation relies on push-based MFA, this is already a real risk.<\/p>\n\n\n\n
The attack is simple. An attacker needs:<\/p>\n\n\n\n
Attackers repeatedly trigger MFA notifications until the user approves one, either by mistake or frustration. In some cases, they combine this with a phone call pretending to be IT support to make the request seem legitimate.<\/p>\n\n\n\n
Once approved, the attacker gains access using what appears to be a normal login, often without triggering security alerts.<\/p>\n\n\n\n
The 2022 Cisco breach showed how effective this tactic can be. Attackers gained access to an employee\u2019s VPN credentials from a compromised personal Google account. They then repeatedly sent MFA prompts and followed up with fake support calls until the employee accepted one.<\/p>\n\n\n\n
That single approval gave the attacker VPN access. They later added their own MFA devices, escalated privileges and stole around 2.8GB of data before being removed.<\/p>\n\n\n\n
The incident proved that even organisations with mature security programmes are vulnerable to MFA fatigue attacks.<\/p>\n\n\n\n
Push notifications rely heavily on user judgement. Most prompts give little information about where the request came from or whether it\u2019s genuine.<\/p>\n\n\n\n
When notifications appear repeatedly, users may assume there\u2019s a technical issue rather than an attack. Add a convincing phone call from someone posing as support staff and the situation becomes much harder to spot.<\/p>\n\n\n\n
Push notifications are one of the weakest MFA methods. More secure options include FIDO2 security keys, hardware tokens and number-matching authentication apps, which are far harder to abuse.<\/p>\n\n\n\n
Prompt spamming only works if attackers already have a valid password. Regularly scanning Azure Entra ID, Legacy Active Directory & Authentication manager entries & hashes for breached or reused passwords and forcing resets removes that attack starting point.<\/p>\n\n\n\n
Conditional access policies can assess factors like location, device health and login time before sending an MFA request. This helps stop suspicious logins before users are asked to approve anything.<\/p>\n\n\n\n
Prompt spamming isn\u2019t a reason to abandon MFA, but it does expose the weaknesses of push-only authentication.<\/p>\n\n\n\n
If push notifications are still your default second factor, it may be time to reconsider. Stronger MFA methods combined with compromised password protection provide a far more resilient defence against account takeover.<\/p>\n\n\n\n