← Blog

MFA fatigue: when approving the prompt is the mistake

Tenant Strike3 min read

Multi-factor authentication is one of your best defenses, but attackers found a way around it: ask for approval over and over until someone taps yes. Here is how MFA fatigue works and how to beat it.

Multi-factor authentication is one of the best things you can do for your security. It means a stolen password isn't enough on its own, because an attacker still needs that second step — the tap to approve, the code from an app. So attackers, unable to beat it directly, found a way to make people defeat it for them. It's called MFA fatigue, and it has worked against companies far larger than yours.

How the attack works

The attacker starts with something they already have: a working username and password, usually bought from a previous data breach. They try to log in. Your phone buzzes with an approval prompt — "Are you trying to sign in? Approve or Deny." You weren't, so you deny it.

Then it buzzes again. And again. The attacker simply keeps trying to log in, firing off a prompt each time. Now it's late, or you're in a meeting, or you're just confused about why this keeps happening. Eventually, one of three things makes someone tap "Approve": they want the buzzing to stop, they assume it must be a glitch, or the attacker follows up with a message — "Hi, it's IT, we're testing the system, please approve the prompt."

That single tap is all it takes. The attacker is in, and they had the password all along.

Why it succeeds

MFA fatigue is social engineering layered on top of a real security control. The technology is working exactly as designed — it is asking for approval. The attack targets the human at the other end, betting that persistence and annoyance will outlast caution. And because the prompt is legitimate and familiar, it doesn't trip the usual "this looks like a scam" instincts.

The fact that the prompts are arriving at all is itself the important signal, and it's the one most people miss in the moment.

The rule that defeats it

A login prompt you didn't start is not a glitch — it's a warning. If your phone asks you to approve a sign-in you didn't just trigger, the answer is always deny, every time, no matter how many times it asks. More than that: it means someone already has your password, so that password needs to change.

Say this plainly to your team: if you get an approval request you didn't ask for, deny it and report it — even once. Repeated prompts mean an attacker is knocking right now.

Settings that take the option off the table

Beyond the human reflex, there are configuration choices that blunt this attack — and they're worth asking your IT person or Microsoft 365 admin about:

  1. Number matching. Instead of a simple approve/deny tap, the prompt shows a number on the login screen that you must type into your phone. You can't approve a login you're not actually looking at, which kills blind "just make it stop" taps. Microsoft now turns this on by default, but it's worth confirming.
  2. Phishing-resistant methods. Hardware security keys and passkeys don't use a tappable push prompt at all, so there's nothing to fatigue. For your most sensitive accounts — especially administrators — these are the strongest option.
  3. Sign-in monitoring. Repeated failed logins and a flood of prompts can be flagged and blocked automatically, so the attack gets cut off before a human is even tempted.

The goal is to make sure no one is ever in a position where a tired tap can hand over an account.

MFA fatigue is a good reminder that turning a control on isn't the same as configuring it well. Tenant Strike reads your Microsoft 365 identity settings and checks the details that matter here — whether multi-factor authentication is enforced for everyone (especially admins), whether the stronger methods are in play, and whether legacy sign-in paths that skip MFA entirely are still open. It's a five-minute, read-only review that turns "we have MFA" into "here's exactly how solid our MFA actually is."

AI-researched from public sources. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.