What is an MFA fatigue attack?
- Attackers steal or guess a password
- They spam push notifications to the user’s authenticator app
- Under pressure or confusion, the user accepts one request, granting access
Why your business is at risk
- Reused or weak passwords on Microsoft 365 or other cloud apps
- Staff working on the go and approving prompts without context
- Lack of conditional access rules or sign-in risk policies
How to defend fast
- Switch to number matching or passkeys
- Enforce number matching in Microsoft Authenticator
- Prefer phishing-resistant methods: FIDO2 security keys or platform passkeys
- Reduce prompts
- Require MFA only from new devices, new locations, or risky sign-ins
- Enable sign-in risk policies if you have Microsoft Entra P2
- Lock down legacy and unattended access
- Disable legacy authentication protocols
- Use app-enforced restrictions and device compliance
- Monitor and alert
- Turn on security defaults at minimum
- Configure alerting for multiple denied MFA prompts and impossible travel
- Train your team
- Teach staff: if you didn’t try to sign in, always tap Deny and report it
Quick checklist
- [ ] Number matching or passkeys enforced
- [ ] Legacy auth blocked
- [ ] Conditional Access in place
- [ ] Alerts for repeated MFA prompts
- [ ] Staff training completed
What Clyk can do
- Review your current MFA setup
- Implement Conditional Access and risk-based controls
- Roll out phishing-resistant authentication company-wide
Need help hardening MFA? Book a quick review and we’ll lock it down.
.webp){kind=logo}
%20(1).webp){kind=small}
