Multi-factor authentication has become part of normal working life. Staff sign in to email, approve a prompt, open a finance system, approve another prompt, then do the same for a CRM, VPN, HR portal or password manager. Most of the time, it is a sensible safety net. It means a stolen password is not enough on its own.
MFA fatigue attacks, also called push bombing, take advantage of that routine. An attacker already has a username and password. Instead of trying to break the second factor, they keep triggering approval requests until the person gives in, taps approve by mistake, or assumes IT is doing something in the background.
It is not a clever cryptographic trick. It is a pressure tactic. The attacker is betting on interruption, confusion and tiredness.
For small and mid-sized businesses, that makes MFA fatigue especially awkward. You may already have MFA switched on and feel that box is ticked. Yet if the setup relies on easy push approval, weak recovery rules, or little guidance, an attacker can still turn a good control into a weak spot.
Why MFA fatigue works
Most people are trained, often without realising it, to clear prompts quickly. Pop-up? Close it. Phone notification? Swipe or tap. Approval request? Get it out of the way so you can carry on working.
That habit is useful for productivity but risky for security. In an MFA fatigue attack, the staff member may receive repeated prompts at odd times. They may be in a meeting, commuting, cooking dinner or half asleep. If the notifications keep coming, one tap can feel like the quickest way to make the noise stop.
Some attackers add pressure by pretending to be from IT. A message might say, “We are testing your account, please approve the next prompt”. Others call the user and sound helpful, rushed or senior. The aim is always the same: make the victim treat the approval as normal.
Microsoft’s own guidance says that, as MFA fatigue attacks rise, number matching for Microsoft Authenticator is critical to sign-in security. That is because the user has to enter a number shown on the login screen, rather than blindly tapping approve on a phone.
MFA is still worth having
This is not an argument against MFA. Password-only accounts are still too easy to compromise through phishing, reuse, malware, leaks and weak resets.
The real lesson is that not all MFA is equal.
An SMS code is better than nothing, but it can be intercepted, socially engineered or lost with a phone number. A simple push prompt is convenient, but it can be approved accidentally. A one-time code from an authenticator app is stronger, but still phishable if a user types it into a convincing fake login page.
Phishing-resistant methods, such as passkeys and hardware security keys, are stronger because they are tied to the real website or service. A fake login page cannot simply reuse the secret. If this sounds familiar, it links neatly to Mustard’s earlier guide to replacing passwords without breaking the business.
The right approach for most SMEs is not to rip everything out overnight. It is to improve the riskiest parts first.
Start with the accounts attackers want most
Every business has a few accounts that matter more than the rest.
Start with administrators, finance, directors, HR, IT support, payroll and anyone who can approve payments, change supplier details or access large amounts of personal data. If those accounts still use basic push approval, fix them first.
For high-risk roles, consider these minimum standards:
Require number matching or passkeys where supported.
Block simple approve or deny prompts.
Show the app name and sign-in location in the approval prompt.
Restrict access from unknown devices or unusual countries.
Require stronger checks for admin portals and financial systems.
Review registered MFA methods, especially old phone numbers and unused devices.
You do not need a perfect identity programme before you make progress. A short, focused change to the top 10 or 20 risky accounts can remove a lot of exposure.
Watch for signs of push bombing
MFA fatigue is noisy if you know where to look.
A user receiving several denied or ignored prompts in a short period should be treated as a warning, not an inconvenience. Repeated sign-in attempts from unfamiliar locations are another signal. So are helpdesk tickets that say “my authenticator keeps going off” or “I keep getting codes I did not ask for”.
CrowdStrike’s 2026 threat findings are a useful reminder that attackers often move through trusted routes, not obvious malware. The report notes that adversaries use valid credentials, trusted identity flows and approved SaaS integrations, with 82% of detections described as malware-free.
That matters because an MFA fatigue incident may not look dramatic at first. There may be no virus alert. No ransomware note. No strange file on a desktop. Just a successful sign-in that looks like a real user.
Your monitoring should flag patterns such as:
- many MFA prompts for one user in a short window
- MFA approvals after several denials
- sign-ins from new locations followed by mailbox rule changes
- new MFA methods added to an account
- password reset followed quickly by a successful login
- admin access from unmanaged devices
These signals should feed into a simple response process. Who checks the logs? Who contacts the user? Who disables the account if the user cannot be reached? Who confirms whether mailbox rules, forwarding, files or payment details were changed?
Write the process down before the incident happens.
Teach staff one clear rule
Security training often becomes too broad. MFA fatigue needs one simple rule:
If you did not start the login, do not approve the prompt.
That one sentence should appear in onboarding, refresher training, posters, Teams messages and the helpdesk script. Keep repeating it until it becomes muscle memory.
Staff should also know what to do next. A good reporting route might be:
Deny the prompt.
Take a screenshot if easy.
Report it to IT or the service desk straight away.
Change the password only after IT confirms the safest route.
Do not approve a later prompt because someone calls and asks you to.
This is where identity security overlaps with social engineering. Attackers may use voice calls, chat messages or AI-generated impersonation to make a fake request feel real. Mustard’s article on verifying identity in a Gen-AI world is worth pairing with MFA guidance.
Fix recovery before attackers find it
Strong MFA can be undone by weak recovery.
If a user loses a phone, gets a new laptop or forgets a password, someone has to restore access. Attackers know this. They may call the helpdesk pretending to be the user, claim urgency, or pressure a junior colleague to reset MFA methods.
Recovery should be treated as a sensitive security event, not routine admin.
For SMEs, that means a few practical controls:
Use a written identity check before resetting MFA.
Require manager approval for high-risk roles.
Log every reset, including who requested it and who approved it.
Remove old devices and phone numbers during reset.
Never accept “I am in a rush” as a reason to skip checks.
Keep separate emergency admin accounts with stronger protection.
The goal is not to make recovery painful. It is to make it predictable. Staff should know what evidence is needed, helpdesk teams should know the script, and managers should know when they need to approve.
Move gradually to phishing-resistant sign-ins
Number matching is a strong next step, but it is not the final destination. Over time, more businesses should move critical accounts to passkeys or hardware-backed authentication.
The UK’s National Cyber Security Centre has said it will begin recommending passkeys wherever a service supports them, with two-step verification used where passkeys are not available. For an SME, that gives a sensible direction of travel.
A practical rollout can be simple. Check which apps support stronger sign-ins, protect admin and finance first, pilot passkeys with a small group, then update onboarding so new starters use the better method from day one. After that, phase out SMS and simple push prompts where alternatives exist.
This avoids the classic mistake of making a security change that works technically but annoys everyone enough to create workarounds.
Make the secure path the easy path
MFA fatigue succeeds when people are overloaded. So the answer is not simply “train harder” or “send another policy”. It is to design sign-ins so the safe choice is clear.
That means fewer prompts, not more. Use single sign-on where possible. Avoid asking users to approve MFA again and again during the same working session. Apply extra checks when risk changes, such as a new device, new location or sensitive admin action.
If staff receive fewer pointless prompts, they are more likely to notice the strange one. If prompts show useful context, they can make better decisions. If the reporting route is friendly and quick, they will speak up sooner.
MFA fatigue is not a sign that MFA has failed. It is a sign that attackers are adapting to the controls businesses already use. The fix is to reduce blind approvals, strengthen recovery and help staff understand the one rule that matters most.
Do not approve a login you did not start.
If you want help reviewing MFA settings, improving sign-in policies, or planning a move to passkeys, contact Mustard IT.








MFA is still worth having
Fix recovery before attackers find it




