What is MFA Fatigue?

Okay, so, eye-rolling at another buzzword (i.e., Who needs that?) — but MFA fatigue is real. This is a comparatively novel twist on how cybercriminals evade multi-factor authentication (MFA). You remember the early 2000s, when I was neck deep as a network admin battling PSTN and the internet was just starting to behave like a wild horse? Well, at the time, the greatest headache was worms like Slammer streaking across networks. Now, attackers have become sneakier — way sneakier.

MFA—the concept is simple and brilliant. Even if someone has your password (and believe me, I’ve run PJ Networks for years, during which I’ve seen bad password policies cause more breaches than you’d care to count) — you’re still good, thanks to that extra step: a text message, an app prompt, a hardware key. Except, here’s the thing, MFA fatigue attacks specifically exploit human psychology. Attackers overload users with a deluge of MFA approval requests.

Picture your phone buzzing, deadening your dinner at home, or juggling a dozen tasks at work, giving you the all-pass sign for your ever-encroaching logins — all nonstop while we chat. Before long, irritation creeps in.

You hit “approve” just for it to end — and boom. Your email, your most sensitive accounts? Compromised.

How Attackers Overwhelm Users

Back when I was on working on networks way back in the day — firewalls the hero, and if you had a good username password combo you were golden. Now? It’s a hackathon of keeping ahead.

MFA bombing — also known as MFA fatigue — works this way:

• Attacker has your username and password. Usually some form of phishing, sometimes just a leaky database.
• They thumped the MFA system by making repeated approval requests.
• A flurry of push notifications go to the targeted user.
• The user starts getting frustrated and finally approves one — thinking it’s either a glitch or their own device is on the fritz.
• Access granted. Attacker in.

What these attackers are counting on is annoyance and fatigue. They wield overload as a weapon.

Our most recent case at PJ Networks involved a bank’s email system. To the IT team, MFA was foolproof. But user behavior? Not so much. Odd hours spike of MFA requests, classic MFA bombing indicator. And yes, some people opened requests without realizing it. That’s when we expanded their authentication flows and added some AI-based adaptive MFA to weed out suspicious attempts. More on that soon.

Best Protection Strategies

Here’s where my 25+ years of experience tells me what I can tell you: MFA is not a silver bullet. That helps, but as with the days of yore of routers and firewalls, your defense has to be layered, adaptive — and user-friendly enough that people don’t throw up their hands and approve everything.

Now, let me start with a little rant: Password policies.

Rules about complexity that push users toward terrible passwords they write on sticky tabs stuck on the underside of their keyboards? Useless. It’s 2024, people! Use passphrases. Use password managers.

But back to MFA:

• Adopt adaptive MFA: Systems that assess risk using context, not just static verification — location, device, time of day.
• Implement push protection throttling: Prevent users from being bombarded by limiting the number of push approvals that can be sent to them per minute.
• Educate users: Raise awareness among your teams regarding MFA fatigue attacks. Tell them not to give requests a free pass.
• Use hardware security keys: They can be a bummer to lose — but much tougher to hack. And yes, I know they can be inconvenient, but I would rather have a temperamental but reliable car than something fancy that breaks down on the way.
• Not the normal auth patterns: Detect via analytics repeated push requests, which are common for MFA bombing.

I’m not going to pretend that this is plug-and-play. Each network has its own quirks like the engine of each car. The target is the same, however — thwarting attackers before they enter.

MFA Security Solutions of PJ Networks

At PJ Networks, we have been optimizing our MFA strategy to tackle this specific issue. However, after working on zero trust architecture upgrades for three leading banks recently, the addition of AI-based adaptive MFA has been a breath of fresh air. And while I’m usually pretty skeptical any tool that says it’s “AI-powered,” this one has less to do with some futuristic magic and more with smart automation.

Our solution learns in real-time—if some bad actor is trying to push the MFA prompts to the same phone, the system learns that and sausages that action before it makes it to your phone. Consider it an experienced traffic cop (not an overeager robot) who can sense when to let cars through and when to hold ’em back.

We augment that with traditional security layers:

• Client traffic-pattern aware firewalls
• Hardened servers auditing authentication continuously
• Clever router configurations that block suspicious outbound traffic

And very importantly, we customize defenses based on real-world behavior, not just theory. Like when I returned from DefCon—it was a reminder that real hardware hacking villages don’t lose to the likes of a fancy software hack (and neither does security). It takes a hybrid approach.

Conclusion

Look, MFA fatigue attacks are a shiny new pebble in the shoe—but they hurt like a boulder if you’re on the receiving end. People are exploited way worse than tech, and that means education, good policy and smart tech have to shake hands.

Even if you think MFA makes you impervious — think again. We’ve come a long way from the early days of dragging data over PSTN lines and scaring ourselves to death with the Slammer worm—but attackers evolve as well.

So, what’s the takeaway lesson from this? MFA is not a checkbox. Think of it as a very complicated, living defense mechanism. Add adaptive tech. Train your users. Watch the signals.

And if you’re already battling MFA fatigue attacks or you simply want your network secured the proper way well then PJ Networks is here for you.

For after 30 years in this business, and then some — network admin, cybersecurity consultant, if I learned anything, it’s this — no security strategy survives the morning without constant, aggressive adaptation.

Stay safe — and remember: The best security is sometimes knowing when not to hit approve.