Detection
Organizations can detect MFA fatigue by instrumenting authentication telemetry and looking for abnormal patterns in push and OTP activity. Security teams should monitor surges in declined or repeatedly requested push notifications, high volumes of failed OTP attempts, and concurrent prompts across geographies. Research from Alex Weinert at Microsoft explains how attackers automate prompt storms to bypass human resistance and that unusual cadence of prompts is a reliable signal of abuse. Log sources must include device telemetry, identity provider logs, and endpoint signals to correlate prompt frequency with session behavior. Detection must account for normal work patterns to avoid flagging benign notification spikes caused by legitimate reauthentication or corporate rollouts.
Response
When an attack is detected, immediate containment focuses on isolating the affected account and stopping automated authentication attempts. Implementing rate limiting and throttling of push notifications at the identity provider reduces the effectiveness of prompt bombardment. National Institute of Standards and Technology guidance authored by Paul A. Grassi at the National Institute of Standards and Technology emphasizes phishing-resistant authenticators and session controls as stronger defenses. Switching the user to a phishing-resistant second factor such as platform or hardware security keys reduces the window for success while incident response proceeds.
Post-incident actions include forcing reauthentication with stronger methods, revoking suspicious sessions, and applying conditional access policies that require step-up authentication or block risky locations. Organizations should update conditional access to consider behavioral signals and device health instead of relying solely on a successful MFA prompt. Human factors matter: employees under stress, language barriers, or unfamiliarity with security prompts are more likely to approve fraudulent requests, and cultural norms about obedience to authority can increase susceptibility. Training that shows real attack examples and clear escalation routes for unexpected prompts reduces accidental approvals.
Longer-term controls combine engineering and policy: adopt phishing-resistant standards such as FIDO2 hardware keys, disable legacy authentication channels vulnerable to interception, and configure identity providers to enable number matching or confirmation dialogs that require explicit user input. Environmental and territorial considerations matter because SIM swap risks and SMS interception vary by region; in some territories reliance on SMS or phone calls presents additional exposure. Continuous monitoring, resilience testing, and integration between security operations and HR for user communication improve detection and reduce the human toll of these attacks.