Something’s been bothering me about MFA lately. Over the last few months, I’ve had random push notifications pop up that I definitely didn’t trigger. Most of the time I just hit Deny and move on, but it made me realize how easy it is to go into autopilot, especially when you’re busy or half asleep.
It got me wondering how much MFA actually protects us once credentials are already leaked. At what point does it stop being a security control and start relying entirely on user patience?
19 Views
You’re describing MFA fatigue, even if you didn’t mean to. It isn’t really a technical cyber attack in the usual sense. It’s more like hacking a human. MFA fatigue works because attackers understand behaviour better than systems. Once they have a password, they don’t try to beat MFA, they just wear the person down until they make a mistake.
That framing actually helps. We keep thinking of attacks as code breaking into systems, but this is someone pushing buttons until a person slips up. No malware, no exploit, just pressure and timing.
That’s exactly what happened in the Uber breach in 2022. The attacker already had an employee’s credentials and kept sending MFA push requests repeatedly. On top of that, he messaged the employee pretending to be Uber IT and said the login needed approval. Eventually one push got approved. From that point on, the access was fully legitimate. MFA passed, session created, and the attacker even posted messages internally to prove access. Nothing was “hacked” in the traditional sense. The system trusted the approval because it came from the right person.
That’s what’s disturbing. From the logs, everything would look clean. Correct credentials, MFA approved, normal login flow. Makes you realize some of the hardest security problems aren’t technical at all. They’re about attention, context, and how people behave when they’re tired or interrupted.
Don't have an account? Sign up
