MFA fatigue attacks succeed by spamming users with push notifications until someone approves one just to make it stop. In 2026, traditional MFA is no longer enough on its own. Businesses need phishing-resistant methods like passkeys, number matching, and Conditional Access policies to stop identity-based breaches before they start.
You rolled out multi-factor authentication years ago. You checked the compliance box. You told your team to stop complaining about the extra step. And for a while, that was enough.
It is not anymore.
The attackers have adapted. MFA is still one of the most important controls a business can deploy, but the version most companies are running in 2026 was designed for threats that no longer dominate the landscape. If your login policies have not been reviewed since you first turned MFA on, you have a gap that criminals are actively pricing into their business model.
Here is what changed, and what to do about it.
An MFA fatigue attack (sometimes called MFA bombing or push-notification spamming) is a social engineering technique that targets the approve button on your phone rather than your password.
The attacker already has your password. That part is not the hard step. With 3.8 billion credentials leaked in the first half of 2025 alone,1 stolen passwords are a commodity. What the attacker needs is your MFA approval.
So they log in repeatedly and trigger dozens of push notifications to your phone. Ten prompts. Twenty. Fifty. Late at night, during a meeting, in the middle of a workout. Eventually most people tap Approve just to make the buzzing stop, or because they assume it is a glitch, or because they think they must have forgotten they were logging in somewhere.
That single tap is the breach.
Because the threat model it was built for has shifted. Three data points tell the story.
First, MFA is no longer a silver bullet against modern intrusions. Incident response teams report that 79% of business email compromise victims they investigated in 2024 and 2025 had MFA enabled at the time of the breach.2 The attacker got in anyway.
Second, credentials are still the weakest link in the chain. The 2025 Verizon Data Breach Investigations Report found that stolen credentials were the initial access vector in 22% of breaches, and that 88% of attacks against basic web applications involved stolen credentials.3 In the same report, the median daily share of credential stuffing attempts across enterprise authentication logs was 19%. One in every five login attempts Verizon saw was an attacker trying keys they already had.
Third, ransomware crews have productized MFA fatigue. Groups like Scattered Spider, Muddled Libra, and Akira now treat push bombing as a standard opening move. CISA updated its advisory on Scattered Spider in July 2025 specifically to emphasize that modern intrusions often begin with identity compromise rather than malware.4
The tooling your team uses to sign in every day is the front door, and the lock has been picked.
Not all MFA is created equal. Regulators, Microsoft, and CISA now draw a sharp line between legacy MFA (SMS codes, one-time passwords, basic push approval) and phishing-resistant MFA (FIDO2 security keys, passkeys, Windows Hello for Business, certificate-based authentication).
The difference is cryptographic. Phishing-resistant methods bind the authentication to the specific site or service you are actually trying to reach. An attacker cannot trick you into approving a login to their fake page because the key refuses to sign the wrong domain. There is nothing to fatigue, nothing to type into the wrong box, nothing to forward by accident.
Microsoft's 2025 Digital Defense Report is blunt about it: phishing-resistant MFA stops more than 99% of identity-based attacks even when the adversary already has valid credentials.5 The FIDO Alliance reports a 95%+ reduction in credential-based attacks for organizations that roll out passkeys, along with a 93% login success rate compared to 63% for traditional methods.6
In plain terms: it is more secure and less painful to use. That combination is rare.
You do not have to rip out your current MFA to close this gap. You need to layer on top of it and tune what is already there. A practical 90-day refresh looks like this.
Turn off basic push approval for high-privilege accounts. Anyone with admin rights, access to financial systems, or reach into sensitive data should be on phishing-resistant MFA. No exceptions for executives who find it inconvenient.
Enable number matching across the board. If you cannot deploy phishing-resistant MFA everywhere tomorrow, turn on number matching in Microsoft Authenticator (or your equivalent) as an interim measure. CISA recommends this as one of the best short-term mitigations for push fatigue.7 Users have to type a number from the login screen into their phone, which breaks the reflex-approve loop.
Deploy Conditional Access policies that adapt to risk. Require stronger authentication when the sign-in is coming from an unusual location, an unmanaged device, or after hours. Block legacy authentication protocols that cannot support modern MFA at all.
Move admin accounts to just-in-time access. With tools like Microsoft's Privileged Identity Management, administrators request elevated permissions when they need them and lose those permissions automatically when the work is done. A compromised admin account that has no standing privileges is a much smaller problem.
Roll out passkeys for your workforce. Passkey adoption crossed a tipping point in 2025. The FIDO Alliance found that 69% of users now have at least one passkey, up from 39% awareness two years prior, and 48% of the top 100 websites now support them.8 Your employees are already using this technology in their personal lives. Meeting them where they are makes rollout faster.
Train your team on the attack, not just the tool. Employees should know what MFA fatigue looks like, why legitimate logins never generate ten prompts in a row, and exactly who to call when they see one. The goal is not paranoia. It is pattern recognition.
Identity is the new perimeter. That phrase gets repeated to the point of cliche, but it is true: in a cloud-first, mobile-first environment, the wall around your network has dissolved. The only consistent checkpoint left is the one at the login screen.
That is why identity and access management sits at the Secure stage of the Sentry Technology Maturity Model. Before a business can integrate systems at scale or innovate responsibly with AI, it has to know with confidence who is signing in, from where, with what device, and with what level of trust. Refreshing your login policies is not a cybersecurity side quest. It is the foundation that everything else is built on.
Most businesses we work with thought they had already solved this. They had not. The controls they turned on in 2020 were state of the art for 2020. The attackers moved. The controls have to move with them.
Yes. MFA, even legacy MFA, still blocks the vast majority of automated attacks. Disabling it would be a disaster. The point is to upgrade from legacy MFA to phishing-resistant MFA, not to abandon the control altogether.
Turning on number matching and moving admin accounts to phishing-resistant MFA. Those two changes eliminate the largest share of real-world attacks for the least disruption.
Yes. Microsoft, Google, Apple, and every major identity provider now support passkeys in enterprise environments. The 2025 FIDO Alliance data shows mainstream adoption, and rollout tooling has matured considerably. Start with pilot groups and expand.
For the accounts that still use passwords, yes. NIST guidance now recommends long, memorable passwords and removes the old mandate to force a rotation every 90 days, which research shows actually weakens security. Pair password guidance with breach-monitoring tools that alert you when employee credentials appear in known leaks.
It works better. Centralized identity management with modern MFA is one of the few security controls that scales cleanly across locations. Each site does not need its own policy. Your identity platform becomes the single source of truth, and every new location inherits the protection on day one.
If your MFA setup has not been revisited since you first rolled it out, it is probably doing less work than you think. The attackers are counting on that.
Sentry Technology Solutions helps businesses across 30+ states modernize identity and access as part of a full Technology Maturity Model engagement. If you want a clear-eyed look at where your authentication stands today and what it would take to close the gap, we can help. Start a conversation at sentryitsolutions.com.
1. Dark Analytics. "The Rising Threat of MFA Bombing in 2025." September 29, 2025. https://www.darkanalytics.com/post/the-rising-threat-of-mfa-bombing-in-2025-understanding-and-defending-against-push-notification-fatigue
2. Security Boulevard. "The Akira Playbook: How Ransomware Groups Are Weaponizing MFA Fatigue." November 2025. https://securityboulevard.com/2025/11/the-akira-playbook-how-ransomware-groups-are-weaponizing-mfa-fatigue/
3. Verizon. "2025 Data Breach Investigations Report." https://www.verizon.com/business/resources/reports/dbir/
4. CISA. "Scattered Spider Advisory, Updated." July 29, 2025. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
5. Microsoft. "Digital Defense Report 2025." https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report
6. FIDO Alliance. "World Passkey Day Research." May 1, 2025. https://fidoalliance.org/passkeys/
7. CISA. "Implement Number Matching in MFA Applications." https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf
8. FIDO Alliance, ibid. https://fidoalliance.org/passkeys/
Dark Analytics, "The Rising Threat of MFA Bombing in 2025," September 29, 2025.↩︎
Security Boulevard, "The Akira Playbook: How Ransomware Groups Are Weaponizing MFA Fatigue," November 2025.↩︎
Verizon, "2025 Data Breach Investigations Report," 2025.↩︎
CISA, "Scattered Spider Advisory, Updated," July 29, 2025.↩︎
Microsoft, "Digital Defense Report 2025."↩︎
FIDO Alliance, "World Passkey Day Research," May 1, 2025.↩︎
CISA, "Implement Number Matching in MFA Applications" fact sheet.↩︎
FIDO Alliance, "World Passkey Day Research," May 1, 2025.↩︎