Combating MFA Fatigue Attacks in the Enterprise

Multi-Factor Authentication (MFA) solves 99% of automated credential attacks. However, a new threat has emerged: MFA Fatigue, also known as “MFA Bombing.”

What is MFA Fatigue?

When attackers obtain a valid password, they repeatedly trigger MFA push notifications to the user’s phone, often late at night. The goal is to annoy or confuse the user into eventually tapping “Approve.”

How to Secure Your Authentications

• Number Matching: Require the user to type a two-digit number displayed on their screen into their authenticator app. This ensures they are actively initiating the login.
• Risk-Based Access: Use Conditional Access policies in Entra ID to block sign-ins from impossible travel locations or known malicious IP addresses before the MFA prompt even triggers.
• FIDO2 Security Keys: Transitioning to physical hardware keys eliminates push notifications entirely.