What MFA fatigue actually is
Multi-factor authentication is worth having. It stops most credential-based attacks cold. But there is a specific attack that treats your MFA setup not as a wall to break through, but as a doorbell to ring repeatedly until someone answers.
The attack is called MFA fatigue, or push bombing. The mechanics are straightforward. An attacker gets hold of a password, usually through a breach dump or a phishing email. Then they trigger repeated authentication requests, back to back, until the target approves one just to make the notifications stop.
It sounds almost too simple to work. It works surprisingly often.
Why people approve requests they did not initiate
The honest answer is that push notifications are annoying, especially when they arrive in a cluster. An employee gets several approval prompts on their phone during a busy afternoon, assumes it must be an IT system doing something routine, and taps approve.
Some attackers add a phone call to speed things up. They call the target posing as IT support, explain there is a system issue that requires verification, and ask them to confirm the request coming through. The employee cooperates because the caller sounds plausible.
Neither approach requires sophisticated technology. Both rely on human behavior doing what it usually does: choosing the path of least friction.
How to know if you are exposed
Ask yourself a few questions.
Does your team use push-based MFA where approvals arrive as a phone notification? When that notification appears, does it show a number that the employee must match to what is on screen, or is it just an approve button? Does your team know that an unsolicited MFA request means something is wrong and should be reported immediately?
If any of those answers is no or not sure, you have real exposure.
What actually helps
The fix is not to abandon MFA. It is to configure it in a way that requires deliberate action rather than passive approval.
Number matching is one of the most effective changes available. Instead of a simple approve button, the authentication app shows a number that the employee must type in to match what appears on the sign-in screen. An attacker triggering requests in the background has no way to provide that number, so the attempt fails even if the employee engages with the prompt.
Some platforms let you limit the number of push attempts before locking out an account, which cuts off the fatigue vector before it has a chance to work.
Training matters here too, but not the kind that ends with a multiple-choice quiz. Staff need to understand one specific behavior: if you receive an MFA prompt you did not initiate, do not approve it. Call IT. The few seconds that takes is a small price compared to what an approved attack costs.
What this reflects about your overall security posture
MFA fatigue attacks tend to succeed in environments where security was configured once and not revisited. The push-based MFA was enabled, the checkbox was checked, and the assumption was that the problem was solved.
The problem with that framing is that attackers adapt. A defensive layer that was effective two years ago can become a liability if nobody is monitoring how it is being used or whether the configuration still reflects current threats.
Cybersecurity for small businesses is not about having every possible tool. It is about having the right tools configured correctly and knowing when the configuration needs to change.
For context on a related pattern, business email compromise also works by exploiting what looks like legitimate behavior rather than triggering obvious alerts.
If any of this feels familiar, we can take a quick look at your setup and tell you what is actually worth fixing.