10

Battling MFA Fatigue Attacks with Hardware Security Keys for Phishing-Resistant MFA

As a cybersecurity professional, I have witnessed how even our best defenses can be twisted against us. One prime example is the rise of MFA fatigue attacks, a form of push-notification abuse that preys on users’ impatience and confusion. In this article, I want to shed light on what MFA fatigue is, why it’s a serious threat to multi-factor authentication security, and how hardware security keys can help provide phishing-resistant MFA to counter these attacks.

Understanding MFA Fatigue Attacks

MFA fatigue (sometimes called MFA prompt bombing or push fatigue) refers to a social engineering attack where an adversary floods a user with repeated multi-factor authentication prompts. Imagine receiving one login approval request after another on your phone’s authenticator app – dozens, even hundreds of push notifications asking “Approve sign-in?” over a short period. The attacker’s goal is to wear down your resistance. Eventually, out of annoyance or confusion, you might hit “Approve” just to silence the noise. That single moment of frustration is all the attacker needs to gain unauthorized access to your account.

This attack is only possible once the attacker already knows your primary credentials (username and password). After obtaining a valid password (often through phishing or leaked databases), the hacker still faces your MFA prompt. Instead of giving up, they exploit the human element of MFA. By bombarding you with incessant prompts – essentially push-notification abuse – they count on the chance that you’ll make a mistake or just give in. It’s an incredibly simple tactic, but sadly, it works more often than we’d like to admit.

Why Push-Notification Abuse Is a Serious Threat

Multi-factor authentication is meant to enhance security by requiring something more than just a password. It’s one of our most reliable defenses against account breaches. However, MFA fatigue attacks demonstrate that the effectiveness of MFA can be undermined if attackers manipulate the user’s experience. This threat is serious for several reasons:

• Exploiting Human Behavior: Attackers are leveraging the fact that humans can become complacent or irritated. When flooded with alerts, even vigilant users might eventually click “yes” without carefully verifying the details. It’s a psychological game of attrition, and the attackers only need to win once.
  
• Stealthy and Hard to Detect: From an IT or security operations perspective, a barrage of legitimate-looking push requests doesn’t always trigger alarms. After all, each prompt by itself is a normal authentication attempt. This means a push fatigue attack might not set off the same red flags that other hacking techniques do. The activity can blend in with regular user behavior, especially if the system isn’t monitoring for multiple rapid-fire approvals or denials.
  
• Recent High-Profile Breaches: We’ve seen real-world cases that underscore the danger. For example, an infamous 2022 incident at a major ride-sharing company where an attacker spammed an employee’s authenticator app with push requests; after dozens of notifications (and even contacting the employee pretending to be IT support), the fatigued user eventually approved one prompt, unwittingly granting the attacker access. Another case that year involved a large tech enterprise (Cisco) where attackers combined MFA bombing with voice phishing, again tricking a frustrated employee into authorizing a rogue login. These examples prove that multi-factor authentication security can be compromised if attackers target the people using the system rather than the technology itself. WIRED+1 
• Erosion of Trust in MFA: Over time, employees under constant authentication stress might start viewing security prompts as obstacles rather than protections. I’ve encountered users who become so tired of MFA prompts that they look for ways to bypass or disable them, especially if they suspect many of the prompts are false alarms. This erosion of trust is dangerous – it can lead to weaker overall security practices, like turning off important security features or ignoring genuine alerts.
  

In short, push-notification abuse as seen in MFA fatigue attacks turns a strength (extra authentication) into a potential weakness by exploiting the user’s diligence and patience. So how do we counter this threat without abandoning MFA altogether? The answer lies in making MFA smarter and more “phishing-resistant” – which is where hardware tokens come into play.

Moving Toward Phishing-Resistant MFA

Not all multi-factor authentication methods are created equal. Traditional MFA methods include things like one-time passcodes (via SMS or authenticator apps) or push notifications. While these are effective against many attacks, they are still susceptible to phishing and social engineering. For instance, a one-time code can be intercepted or tricked out of a user, and as we’ve discussed, a push prompt can be abused via fatigue. Phishing-resistant MFA aims to close these loopholes by using methods that attackers can’t easily trick or intercept.

As a cybersecurity expert, I often advise organizations to implement phishing-resistant MFA wherever possible. This term has gained traction recently, especially after advisories from government security agencies urging companies to upgrade their MFA methods. Phishing-resistant MFA refers to authentication methods that do not rely on shared secrets (like SMS codes or OTPs) and that can’t be easily relayed to an attacker even if a user is somehow duped. Two prominent examples are FIDO2/WebAuthn security keys and smart cards with certificates. Both require something physical and unique that an attacker cannot simply replicate or remotely trigger by spamming the user.

Implementing phishing-resistant MFA means that even if an attacker has your password, and even if they trick you with a very convincing phishing page or bombard you with requests, they still cannot get in without the physical key or device that’s in your possession. It adds a tangible, hard-to-fool element to the login process. Of these methods, one of the most accessible and effective for many organizations is the use of hardware security keys.

How Hardware Security Keys Defeat MFA Fatigue

Hardware security keys are small physical devices (often USB keys or NFC/Bluetooth tokens) that serve as a second factor for authentication. Examples include YubiKeys, Protectimus tokens, and other FIDO-certified tokens. I use and recommend these devices for a few compelling reasons:

• No Push, No Spam: Unlike smartphone-based MFA apps, hardware keys don’t display “Approve/Deny” push notifications that an attacker can spam. If an attacker tries to log in with your password, your system will prompt you to insert or tap your key. There is no simple “Yes” button that can be accidentally pressed out of habit or annoyance. The absence of push-notification style approval means an attacker cannot abuse the mechanism to wear you down. You either have the key and physically use it, or the login doesn’t proceed – there’s no way for an attacker to imitate that or force it remotely.
  
• Deliberate User Interaction: Using a hardware token requires a conscious physical action by the legitimate user. For instance, you might need to plug the key into your device and press a button on it at the moment of login. This action can’t be performed unwittingly in your sleep or with a quick tap on your phone while distracted. It forces a moment of deliberate thought -“I am now authenticating.” Attackers can’t generate that physical button press from afar. This greatly reduces the risk of the kind of reflexive or fatigued approvals that MFA fatigue attacks depend on.
  
• Phishing Resistance by Design: Modern hardware security keys (using protocols like FIDO2/WebAuthn) are built to thwart phishing. Even if you were somehow tricked into trying to use your key on a fraudulent website, the key uses cryptographic protocols that bind it to the legitimate domain. This means a phishing site can’t usually fool the key into granting access to the attacker. In practical terms, if an attacker sets up a fake login page to capture your password, they still hit a wall when the real site asks for the hardware key touch – the phony site won’t be able to interact with your key in a valid way. This is a huge improvement in multi-factor authentication security because it closes the loop that social engineers often exploit with OTP codes or push prompts.
  
• No Shared Secrets to Steal: Hardware tokens often work on public/private key cryptography. There’s no six-digit code that an attacker could intercept via SIM swap, no OTP that can be phished via a fake form, and no push prompt to abuse. The secret needed to authenticate stays securely on the device and never traverses the network. This means even a sophisticated man-in-the-middle attack is far less likely to succeed.
  
• Resilience Against Phone-targeted Attacks: Attackers have many tricks for phones – SIM swapping, malicious apps, device malware, or simply exploiting users’ reliance on mobile devices. A dedicated hardware key is immune to mobile malware and doesn’t rely on cellular networks. It can’t show a fake prompt generated by a virus, for example. By moving the second factor off the phone and into a separate hardware device, you compartmentalize your security. In my own experience, this has given many users peace of mind; they know that even if their phone is compromised or noisy with alerts, their logins still won’t succeed without that key in their hand.
  

Where Hardware OTP Tokens Fit (HOTP/TOTP/OCRA)

Hardware OTP tokens (programmable or classic, using HOTP/TOTP/OCRA) are a strong middle ground between push-based MFA and FIDO2/WebAuthn. Because codes are generated locally and offline, there’s no push prompt to spam, which makes OTP tokens effective against MFA fatigue. They also avoid SMS weaknesses (SIM-swap, interception) and reduce BYOD risk, so they work well for frontline staff, shared kiosks, semi-air-gapped sites, and regulated environments. At scale, centrally provisioning seeds and tracking inventory improves reliability and auditability.

Important limitations. OTP codes are still phishable/relayable via real-time proxy pages, and seed lifecycle must be tightly managed (HSM-backed generation, per-device secrets, secure import/escrow, rotation, and loss/clone handling). In other words, OTP tokens are a solid upgrade over SMS or basic app codes and they neutralize push-notification abuse, but they are not phishing-resistant in the same way as FIDO2/WebAuthn security keys.

Deployment tip. Use OTP tokens where push MFA is impractical or risky, and standardize FIDO2/WebAuthn for high-risk users (admins, engineers, executives). Representative FIDO2 options include YubiKey, Feitian security keys, and Protectimus tokens. Keep OTP as a robust fallback factor, pair with adaptive/conditional access, and continue user education (“never approve unexpected prompts,” verify domains, report anomalies).

Best Practices to Prevent MFA Fatigue Attacks

While hardware security keys are a top-tier solution for preventing push-based MFA abuses, a comprehensive strategy is important. Not every system or user may immediately transition to security keys, so it’s wise to strengthen all aspects of your MFA implementation. Here are some best practices I recommend to bolster your defenses against MFA fatigue attacks:

• Implement Number Matching (for Push MFA): If your organization uses push notification MFA (such as through a mobile authenticator app), enable number matching or additional context in the prompt. Number matching requires the user to type a number shown on the login screen into their app, confirming they are approving the specific login they initiated. It forces a verification step that’s hard to automate away, reducing accidental approvals. Microsoft announced enforcement of number matching in 2023 (see Entra announcement). Microsoft Learn+1 
• Limit Repeated Prompts: Configure your MFA system to rate-limit and block repeated authentication attempts. If an account receives an unusual number of MFA requests in a short time, it should be flagged or temporarily locked. This prevents attackers from sending infinite prompts. Many services now allow a maximum of, say, 3 push requests and then require a timeout. This protects users from constant bombardment and gives security teams a chance to investigate possible malicious activity.
  
• User Education and Awareness: Technology alone isn’t enough users need to be aware of MFA fatigue attacks. Make it a part of your security training to explain this tactic. I emphasize to employees and clients: never approve an MFA prompt that you didn’t expect; deny and report immediately.
  
• Tiered MFA Deployment: Consider using hardware tokens for high-value or high-risk accounts first. Administrators, IT staff, executives, and others with privileged access should be required to use hardware security keys or similarly strong MFA. For high assurance, NIST SP 800-63B defines AAL3 which relies on hardware-based authenticators with resistance to verifier impersonation. pages.nist.gov 
• Adaptive and Risk-Based MFA: Implement adaptive MFA policies where possible. Challenge users when risk is elevated (new device, unusual location) and reduce unnecessary prompts in low-risk scenarios. This cuts down on “noise” that contributes to fatigue while keeping security strong.
  

Conclusion

MFA fatigue attacks remind us that security is not just about technology, but also about understanding human behavior. As a cybersecurity expert, I firmly believe that multi-factor authentication is still essential for protecting accounts – yet we must evolve it to stay ahead of attackers. Embracing phishing-resistant MFA methods, especially hardware security keys, transforms MFA from a potentially abused tool back into a robust shield. These keys offer a tangible layer of security that attackers can’t easily manipulate or bypass with social engineering.

In my own professional experience, organizations that adopt hardware tokens for authentication see a dramatic drop in successful phishing and MFA fatigue incidents. Users may take a little time to adjust to using a security key, but once they do, they often appreciate the simplicity and the peace of mind it brings. There’s no more second-guessing random phone prompts – the authentication becomes a deliberate act, and that makes all the difference.

Ultimately, combating MFA fatigue attacks is about reinforcing trust in our security processes. By deploying stronger tools like hardware security keys and educating users, we ensure that multi-factor authentication security does what it’s meant to do: keep the bad guys out without placing an undue burden on the good guys. I encourage every organization to assess their MFA methods in light of these modern threats. The path forward is clear – phishing-resistant MFA via hardware security keys and smart policies – and it’s time we all take it to protect our digital front doors.

---