Medium: Widespread MFA Fatigue Campaign

Published: March 6, 2026 CVSS: 6.5

Affected Systems

Organizations using push-based MFA

A coordinated campaign is targeting organizations using push-based multi-factor authentication, bombarding users with approval requests until they accidentally or deliberately approve one. This technique was used in the Uber and Cisco breaches.

Mitigation Steps

Switch to number-matching MFA
Implement FIDO2/WebAuthn where possible
Set rate limits on MFA push notifications
Train users to report unsolicited MFA prompts