MFA Fatigue 2025: Protect Your Accounts with Passwordless Authentication

Preamble

MFA, does that ring a bell? This acronym is everywhere in our digital world. Your banking app, your email, your online stores, your administrative access... it's there, lurking in the shadows, demanding a code or validation. Sometimes, it annoys us with its incessant notifications. But did you know that this Multi-Factor Authentication, this essential shield, could also "fatigue"? And when it fatigues, your security can falter.

1. Introduction

An outdated paradigm: Traditional MFA is no longer an infallible barrier against cyberattacks.
Emerging threats: Techniques like MFA bombing (notification fatigue) and AiTM phishing exploit its weaknesses.
Real impact: "MFA Fatigue" attacks show a global increase of 2.75x (i.e., +175%) for ransomware attacks in 2024, leading to heavy fines (e.g., T-Mobile, $33M fine in 2025).
The response: Moving to robust standards like FIDO2 and using Passkeys constitute the new frontier of authentication.
Our goal: To provide you with clear analysis and practical solutions to strengthen your account security.

2. Fundamentals: MFA, An Essential Shield (But Perfectible)

2.1. MFA: The Basics - What is it, who is it for, how does it work?

Multi-factor authentication (MFA) is based on a simple principle: requiring multiple distinct identity proofs to access an account. These proofs are divided into three categories:

Something you know

A password, a PIN code.

Something you have

Your phone (to receive an SMS or notification), a physical security key.

Something you are

A fingerprint, facial recognition (biometrics).

The process is standardized: entering credentials → request for a second proof → validation → access granted. According to Microsoft, this method blocks over 99% of automated attacks.

2.2. A Brief History of MFA

1984: Invention of the first physical tokens (RSA SecurID)
2000s: Standardization with the OATH initiative (HOTP, TOTP)
2010s: Democratization following mega data breaches (Yahoo, Adobe)
2020+: Era of "passwordless" with FIDO2/WebAuthn

2.3. Its Daily Use: For Whom, For What?

2.4. 📊 Where to Find MFA? The 2025 Ecosystem

Category	Examples	Security Level
Web Apps	Google, Microsoft, AWS	Medium (vulnerable to AiTM)
Mobile Apps	Banking apps, Authenticators	High (fatigue risk)
Hardware	YubiKey, Google Titan	Very High (anti-phishing)
Social Networks	X (Twitter), Facebook, LinkedIn	Basic (upgrade recommended)
Enterprises	Salesforce, SAP, corporate VPN	Advanced (conditional policies)
IoT / Emerging	Nest, Ring, connected car	Variable (in development)

3. Modern Attacks That Bypass Classic MFA

3.1. MFA Fatigue: The Harassment That Pushes You to Make Mistakes

MFA bombing exploits human weakness rather than technology. The attacker, after obtaining your credentials (through phishing or data leaks), triggers dozens of login attempts. Your phone then receives an avalanche of notifications "Do you want to approve this login?" Exhausted or distracted, you end up pressing "Approve" to stop the spam, thus giving access to the hacker.

Statistics

+175% attacks in 2024 (Microsoft)

Real example

Attack against Uber in 2022 where an employee gave in to fatigue

3.2. AiTM Phishing: The Pro Technique That Intercepts Everything

Adversary-in-the-Middle (AiTM) is a sophisticated phishing technique using an invisible proxy. When you enter your credentials on a fake site, they are relayed in real time to the real site. When the latter requests MFA, the proxy forwards the request to you and intercepts your code or session cookie. The hacker can thus impersonate your session without ever having your credentials.

Available kits

EvilProxy, Tycoon 2FA (Phishing-as-a-Service)

Consequence

Makes SMS and TOTP codes obsolete

3.3. SIM-Swap: The Line Hijacking That Costs Millions

SIM-swap specifically targets SMS MFA. The hacker persuades your carrier to transfer your number to their own SIM card. They thus intercept all your SMS validation codes, potentially emptying your bank accounts or stealing your identity.

2024 Figures

$26 million in losses in the USA (DeepStrike)

2025 Figures

$33 million (T-Mobile conviction, DeepStrike)

Global statistics

+1055% unauthorized attacks in the UK in 2024 (Cifas)

Recent example

Leak of 850,000 customer data at Orange Belgium in 2025

3.4. Summary Table of MFA Threats in 2025

Attack	Mechanism	Vulnerability	Example
MFA Fatigue	Notification flooding	Human weakness	Uber (2022)
AiTM Phishing	Interceptor proxy	Trust in websites	EvilProxy kits
SIM-Swap	Fraudulent porting	SMS dependency	Orange Belgium (2025)

3.5. Visualizing Attacks: Explanatory Diagrams

Visually understanding different attack scenarios helps better grasp risks. Here are three diagrams illustrating respectively: the normal authentication process, an attack targeting an individual, and a sophisticated attack targeting an SME.

Diagram legend:

Malicious entity or attacker's action

Failure point or victim's action

Legitimate system

3.6. Secure Authentication Process

Secure Authentication Process

This diagram illustrates the normal flow of a secure MFA authentication, without any attack. Note the multiple verifications and the creation of a secure session.

sequenceDiagram participant U as User (Legitimate) participant N as Web Browser participant A as Authentication Server participant S as Application/Website Note over U, S: 🟢 Phase 1: Secure Login Initiation U->>N: 1. Accesses official URL N->>S: 2. HTTPS request (GET /login) S-->>N: 3. Returns login form N-->>U: 4. Displays login page Note over U, S: 🟠 Phase 2: Authentication (Credential Verification) U->>N: 5. Enters credentials
(Login + Password) N->>A: 6. Sends credentials (encrypted) A->>A: 7. Verifies password (hashed) A-->>N: 8. "Success" + Requests MFA code Note over U, S: 🔵 Phase 3: MFA Verification (Double Guarantee) N-->>U: 9. Displays MFA code field U->>U: 10. Generates code on trusted device U->>N: 11. Enters MFA code N->>A: 12. Sends code for validation A->>A: 13. Validates MFA code Note over U, S: 🟣 Phase 4: Session Establishment A->>S: 14. "Authentication successful" S->>S: 15. Creates user session S-->>N: 16. Access granted + Session cookie (HttpOnly, Secure) N-->>U: 17. Redirects to secure homepage Note over U, S: 🟡 Phase 5: Continuous Interaction (Secure) U->>N: 18. Browses the site N->>S: 19. Sends session cookie with each request S->>S: 20. Verifies session cookie S-->>N: 21. Returns requested data N-->>U: 22. Displays data

3.7. Attack on an Individual (AiTM Phishing)

Attack on an Individual (AiTM Phishing)

This attack typically targets personal accounts (email, social networks, banking). The attacker uses an invisible proxy to intercept credentials and MFA code in real time.

sequenceDiagram participant V as Victim (Individual) participant P as Malicious Proxy participant S as Real Service (Gmail, Facebook...) Note over V, S: 🟥 Phase 1: Lure & Identity Theft V->>P: 1. Clicks on phishing email link Note right of V: URL looks legitimate (e.g., gmail-security.com) P->>S: 2. Relays request to real site S->>P: 3. Returns real login page P->>V: 4. Displays page (visually identical) Note over V, S: 🟧 Phase 2: Credential Theft V->>P: 5. Enters credentials Note right of V: Thinking it's the real site P->>P: 6. Saves stolen credentials P->>S: 7. Injects stolen credentials Note over V, S: 🟨 Phase 3: MFA Bypass S->>P: 8. Requests MFA code P->>V: 9. Displays MFA field V->>P: 10. Enters MFA code (valid 60s) P->>S: 11. Injects MFA code in real time Note over V, S: 🟪 Phase 4: Session Theft S->>P: 12. Authentication successful + Session cookie P->>P: 13. Steals session cookie P--x V: 14. Redirects to fake error page Note right of P: Victim thinks it's an error Note over V, S: ⬛ Phase 5: Session Hijacking P->>S: 15. Uses stolen cookie to access account S-->>P: 16. Full silent access to account Note right of P: Attacker can see and export everything

3.8. Attack on an SME/Company (Targeted)

Attack on an SME/Company (Targeted)

This sophisticated attack targets companies with more serious consequences. The attacker uses social engineering to target specific employees and access internal systems.

sequenceDiagram participant E as Employee (Victim) participant P as Malicious Proxy participant S as Corporate Server (VPN, OWA, CRM) Note over E, S: 🟥 Phase 1: Targeted Social Engineering E->>P: 1. Clicks on email link
impersonating colleague/vendor Note right of E: Email appears urgent and legitimate P->>S: 2. Relays request S->>P: 3. Returns corporate login page P->>E: 4. Displays page (perfect copy) Note over E, S: 🟧 Phase 2: Professional Access Theft E->>P: 5. Enters AD/SSO credentials P->>P: 6. Saves corporate credentials P->>S: 7. Injects credentials S->>P: 8. Requests MFA code (if applicable) Note over E, S: 🟨 Phase 3: Enterprise MFA Bypass P->>E: 9. Displays MFA field E->>P: 10. Enters MFA code P->>S: 11. Injects MFA code Note over E, S: 🟪 Phase 4: Lateral Access & Escalation S->>P: 12. Access granted + Session cookie P->>P: 13. Steals session token P--x E: 14. Redirects or simulates maintenance Note over E, S: ⬛ Phase 5: Lateral Movement & Exfiltration P->>S: 15. Uses access to explore network P->>S: 16. Attempts privilege escalation P->>S: 17. Exfiltrates sensitive data Note right of P: Access to shared files, emails, DB...

4. The "Passwordless" Era: Advanced Solutions to Counter MFA Bypasses

Faced with emerging threats like MFA Fatigue and AiTM phishing, the challenge is not to abandon multi-factor authentication, but to evolve it towards resilient methods. This section explores robust alternatives that protect against phishing while offering an optimized user experience.

4.1. FIDO2 & Passkeys: Phishing-Resistant Authentication

The FIDO2 standard uses asymmetric cryptography to eliminate vulnerabilities of traditional methods. During registration, your device generates a unique key pair: a public key shared with the service, and a private key stored locally. Authentication relies on cryptographically signing a "challenge" sent by the site.

Why FIDO2 is unbreakable?

Domain binding: The private key works only with the legitimate site, making technical phishing impossible. No shared secret: There's nothing to intercept (no SMS code, no password). Only a cryptographic exchange takes place.

Passkeys: Democratization of FIDO2

Private keys backed up in the cloud (Google, Apple, Microsoft) and synced across your devices. +20% adoption in 2025 according to Microsoft. Easier to use with 20% higher success rate for logins (FIDO Alliance).

4.2. Physical Security Keys: Ultimate Protection

Hardware devices (USB, NFC) storing your FIDO2 keys, offering maximum protection against malware and data exfiltration.

✅ Advantages

Maximum security: Immune to malware targeting software solutions. Multiple protocols: Supports U2F, HOTP, TOTP and OpenPGP. Professional adoption: 50% in enterprises vs 10% among individuals.

⚠️ Disadvantages

Cost: €20 to €70 per unit. Loss risk: Requires a backup key configured. Logistics: Physical device management.

🎯 For whom?

Cybersecurity professionals, critical administrative accounts, high-risk individuals (journalists, activists).

4.3. AI and Behavioral Biometrics: Proactive Detection

Contextual analysis systems integrated into identity platforms (Microsoft Entra ID, Okta, Google) to detect abnormal behaviors.

🔍 How it works?

Contextual analysis: Device, location, network, time. Behavioral biometrics: Typing rhythm, browsing patterns. Accuracy: 95% anomaly detection (Okta 2025).

🚀 Advantages

Transparency: Enhanced security without user friction. Proactive detection: Blocks suspicious logins before compromise. Adoption: 25% of SMEs in 2025 (Gartner).

⚠️ Limits

Cost: €1,000 to €10,000/year (enterprise solutions). Privacy: Extensive collection of behavioral data. False positives: 5 to 10% risk of legitimate blocking.

⚠️ Privacy & Transparency

These systems analyze behavioral patterns; check your provider's privacy policy to understand what data is collected and how it's used.

4.4. Adaptive Authentication: Contextual Security

Dynamic approach adjusting authentication requirements based on the risk level of each attempt.

⚙️ Operation

Real-time assessment: Risk score based on 10+ factors. Adaptive response: Additional factor, blocking or direct access. Transparency: Smooth experience for legitimate logins.

📋 Implementations

Google Advanced Protection Program, Microsoft Conditional Access, IAM solutions (Okta, Ping Identity).

⚖️ Advantages & Limits

+ Balances security/experience
+ Protection against abnormal travel
- Bypassable by context imitation
- Dependent on data quality

4.5. Best Practices: Strengthening Traditional MFA

Immediate measures to secure your access while awaiting full adoption of passwordless solutions.

📱 Authenticator Apps (TOTP)

Prefer Google Authenticator or Authy over SMS. Eliminates 95% of SIM-swap risks (DeepStrike).

🛡️ Disable Automatic Approvals

Require manual code entry. Neutralizes 80% of MFA bombing attacks (Proofpoint).

🎓 User Training

Raise awareness about suspicious notifications. According to Verizon DBIR 2025, training remains a major pillar of risk reduction.

🏢 Conditional Access (Enterprise)

Restrict access to approved devices/locations. Blocks 90% of suspicious attempts.

4.6. Detailed Comparison Table of MFA Solutions in 2025

Solution	Bombing Resistance	AiTM Resistance	SIM-Swap Resistance	Ease of Use	Approximate Cost	Adoption 2025	For whom?
SMS	Low	Low	Low	Very Easy	Low	Declining	Beginners (avoid)
Authenticator App (TOTP)	Medium (manual entry)	Medium	High (vs SMS)	Easy	Low	~80%	Everyone (transition)
FIDO2 Physical Key	High (no push)	High (phishing-resistant)	High (no SMS)	Medium	€20-70	~20% (FIDO Alliance)	Experts, Pros
Passkeys	High (biometrics/PIN)	High (FIDO2-based)	High (no SMS)	Very Easy	Low (OS integrated)	+20% (Microsoft)	Everyone
Behavioral AI	High (anomaly detection)	Medium (complement)	High (contextual)	Transparent	€1k-10k/year	~25% SMEs (Gartner)	Enterprises
MFA Best Practices	Medium (disable push)	Low (vulnerable to proxies)	Medium (TOTP > SMS)	High (immediate)	Free to low cost	~80%	All audiences
Open-Source Authenticator (e.g., Aegis)	High (manual entry)	Medium (vulnerable to proxies)	High (vs SMS)	Easy	Free	~15% (tech-savvy niche)	Tech users, concerned about auditability

5. Your Pragmatic Action Plan for 2025

5.1. Prioritization by account/user type

5.2. Progressive migration guide

Period	Subject	Action
Week 1	Secure	Secure primary email account with a Passkey.
Week 2	SMS MFA	Replace SMS MFA with an authenticator app on banking accounts.
Week 3	Disable	Disable "automatic push approvals" on all authenticator apps.
Week 4+	Passkeys	Extend use of Passkeys or physical keys to other important services (GitHub, PayPal, etc.).
Monthly	Review	Account review and verification of recovery methods.

5.3. Immediate Action Checklist

🛑 DO NOT DISABLE MFA!

It remains essential against 99% of automated attacks

🔐 Top Priority: Protect Your Primary Email Account

Replace MFA with a Passkey (Gmail, Outlook, Apple)

⚙️ Optimize Your Authenticator Apps

Disable the "Approve" option → Force manual entry of 6-digit code

📱 Ban SMS as Second Factor

Switch to authenticator apps (Google Authenticator, Authy)

👀 Vigilance: An Unsolicited Notification = Red Alert

Signals someone has your password → Change it immediately

🔄 Switch to Passkeys Gradually

Enable them on each important service (Amazon, GitHub, PayPal)

🛡️ For critical accounts:

Consider purchasing a FIDO2 physical security key.

6. How businesses can protect their teams

Mandatory MFA Policy

Make MFA (preferably TOTP or FIDO2) mandatory for all administrative access and sensitive systems.

Ongoing Training

Regularly educate employees about new attack techniques (MFA Fatigue, AiTM phishing) through cybersecurity briefings.

Clear Security Policies

Document MFA configuration procedures, backup key management, and response to alerts.

Centralized Authentication Solutions

Use IAM (Identity and Access Management) solutions like Azure AD, Okta or Google Workspace to manage and monitor authentication at scale.

Adaptive Authentication

Implement conditional policies (Conditional Access) to limit logins based on context (device, location).

Regular Security Audit

Periodically check MFA configurations of critical accounts and train teams on best practices.

7. Common mistakes to avoid

Never approve an unsolicited MFA notification

This is the main entry point for MFA Fatigue attacks.

Avoid SMS codes for critical accounts

SMS is inherently vulnerable to SIM swaps.

Don't use the same device for all factors

If the device is compromised, all security layers fall.

Ignore platform security alerts

Suspicious login notifications should be taken seriously and investigated immediately.

Don't have a secondary recovery method

Risk of account lockout if primary factor access is lost (lost phone/key).

Don't update devices and applications

Updates often contain crucial security patches.

8. Conclusion

MFA is evolving

MFA is not dead, it's evolving. The time when "any MFA was enough" is over. Faced with adversaries using sophisticated tools, you need to choose the right MFA.

The future is in resistant standards

Traditional solutions (SMS, simple push notifications) show their limits against psychological harassment (MFA bombing) and technical interception (AiTM). The future is in phishing-resistant standards like FIDO2 and Passkeys, offering superior security without compromising simplicity.

Act pragmatically

The goal is not to panic but to act pragmatically: don't throw away your authenticator, but strengthen your protection where needed, starting with your email. Understanding these limits gives you the means to stay safe. By adopting the right solutions, you no longer suffer from cybersecurity, you stay one step ahead.

9. Glossary

AiTM (Adversary-in-the-Middle)

Attack technique where the attacker positions themselves between the user and the service to intercept and relay authentication information in real time.

FIDO2

Open authentication standard developed by the FIDO Alliance, enabling strong, phishing-resistant authentication based on public key cryptography.

CTAP (Client to Authenticator Protocol)

Protocol used by FIDO2 for communication between the client (browser/device) and the authenticator (security key).

MFA Bombing

Attack technique consisting of bombarding a user with authentication notifications until they approve out of fatigue or error.

Passkeys

Consumer-friendly form of FIDO2, enabling passwordless authentication synced in the cloud across all your devices.

Phishing

Deception technique aimed at stealing personal information by mimicking the appearance of a legitimate site or service.

SIM-Swap

Attack consisting of fraudulently transferring a phone number to a new SIM card controlled by the attacker to intercept SMS codes.

TOTP (Time-based One-Time Password)

Algorithm that generates a temporary unique code based on current time, used by authentication apps like Google Authenticator.

WebAuthn

Standardized web API that allows websites to use FIDO2 authentication via the browser.

10. Verified Sources

Organization	Type	Data	Year
What is an MFA Fatigue Attack?	Security Report	MFA Fatigue attacks	2024
Defend your users from MFA fatigue attacks	Usage Study	74% of consumers know about passkeys and 69% of them have activated them FIDO2 keys	2025
MFA Fatigue Attacks: Ultimate Prevention Guide	Usage Study	74% of consumers know about passkeys and 69% of them have activated them FIDO2 keys	2025
How MFA Fatigue Attacks Work & 6 Ways to Defend Against Them	How MFA Fatigue Attacks	Defend Against Them	2024
Security Intelligence Blog	Analysis	SIM-Swap fraud	2024

11. SafeITExperts Recommended Reading

Reading	Description
2025 Security Guide: Proactive Protection for Linux, Windows, and macOS	Protection Linux, macOS and Windows
Smartphone Security 2025: Comprehensive Technical Guide	Smartphone, Security
Secure Passwords 2025: 10 Unbreakable ANSSI Secrets	(Password, Secure, IT computer)
Bank Card Security	Computer under Linux, Windows, ChromeOS, macOS stolen: security guide