Let's connect you with the right MSP.
Discover leading Managed IT Service Providers across USA, Canada & the United Kingdom.
- 100s of leading MSPs
- Find a MSP near you
- Latest IT news for SMBs
MFA Fatigue: Why Your Login Policies Need a Refresh
MFA fatigue attacks succeed by spamming users with push notifications until someone approves one just to make it stop. In 2026, traditional MFA is no longer enough on its own. Businesses need phishing-resistant methods like passkeys, number matching, and Conditional Access policies to stop identity-based breaches before they start. You rolled out multi-factor authentication years ago. You checked the compliance box. You told your team to stop complaining about the extra step. And for a while, that was enough. It is not anymore. The attackers have adapted. MFA is still one of the most impo
MFA fatigue attacks succeed by spamming users with push notifications until someone approves one just to make it stop. In 2026, traditional MFA is no longer enough on its own. Businesses need phishing-resistant methods like passkeys, number matching, and Conditional Access policies to stop identity-based breaches before they start. You rolled out multi-factor authentication years ago. You checked the compliance box. You told your team to stop complaining about the extra step. And for a while, that was enough. It is not anymore. The attackers have adapted. MFA is still one of the most important controls a business can deploy, but the version most companies are running in 2026 was designed for threats that no longer dominate the landscape. If your login policies have not been reviewed since you first turned MFA on, you have a gap that criminals are actively pricing into their business model. Here is what changed, and what to do about it. What Is an MFA Fatigue Attack? An MFA fatigue attack (sometimes called MFA bombing or push-notification spamming) is a social engineering technique that targets the approve button on your phone rather than your password. The attacker already has your password. That part is not the hard step. With 3.8 billion credentials leaked in the first half of 2025 alone,1 stolen passwords are a commodity. What the attacker needs is your MFA approval. So they log in repeatedly and trigger dozens of push notifications to your phone. Ten prompts. Twenty. Fifty. Late at night, during a meeting, in the middle of a workout. Eventually most people tap Approve just to make the buzzing stop, or because they assume it is a glitch, or because they think they must have forgotten they were logging in somewhere. That single tap is the breach. Why Is Traditional MFA Failing in 2026? Because the threat model it was built for has shifted. Three data points tell the story. First, MFA is no longer a silver bullet against modern intrusions. Incident response teams report that 79% of business email compromise victims they investigated in 2024 and 2025 had MFA enabled at the time of the breach.2 The attacker got in anyway. Second, credentials are still the weakest link in the chain. The 2025 Verizon Data Breach Investigations Report found that stolen credentials were the initial access vector in 22% of breaches, and that 88% of attacks against basic web applications involved stolen credentials.3 In the same report, the median daily share of credential stuffing attempts across enterprise authentication logs was 19%. One in every five login attempts Verizon saw was an attacker trying keys they already had. Third, ransomware crews have productized MFA fatigue. Groups like Scattered Spider, Muddled Libra, and Akira now treat push bombing as a standard opening move. CISA updated its advisory on Scattered Spider in July 2025 specifically to emphasize that modern intrusions often begin with identity compromise rather than malware.4 The tooling your team uses to sign in every day is the front door, and the lock has been picked. What Makes Phishing-Resistant MFA Different? Not all MFA is created equal. Regulators, Microsoft, and CISA now draw a sharp line between legacy MFA (SMS codes, one-time passwords, basic push approval) and phishing-resistant MFA (FIDO2 security keys, passkeys, Windows Hello for Business, certificate-based authentication). The difference is cryptographic. Phishing-resistant methods bind the authentication to the specific site or service you are actually trying to reach. An attacker cannot trick you into approving a login to their fake page because the key refuses to sign the wrong domain. There is nothing to fatigue, nothing to type into the wrong box, nothing to forward by accident. Microsoft's 2025 Digital Defense Report is blunt about it: phishing-resistant MFA stops more than 99% of identity-based attacks even when the adversary already has valid credentials.5 The FIDO Alliance reports a 95%+ reduction in credential-based attacks for organizations that roll out passkeys, along with a 93% login success rate compared to 63% for traditional methods.6 In plain terms: it is more secure and less painful to use. That combination is rare. How Should Your Login Policies Change Right Now? You do not have to rip out your current MFA to close this gap. You need to layer on top of it and tune what is already there. A practical 90-day refresh looks like this. Turn off basic push approval for high-privilege accounts. Anyone with admin rights, access to financial systems, or reach into sensitive data should be on phishing-resistant MFA. No exceptions for executives who find it inconvenient. Enable number matching across the board. If you cannot deploy phishing-resistant MFA everywhere tomorrow, turn on number matching in Microsoft Authenticator (or your equivalent) as an interim measure. CISA recommends this as one of the best short-term mitigations for push fatigue.7 Users have to type a number from the login screen into their phone, which breaks the reflex-approve loop. Deploy Conditional Access policies that adapt to risk. Require stronger authentication when the sign-in is coming from an unusual location, an unmanaged device, or after hours. Block legacy authentication protocols that cannot support modern MFA at all. Move admin accounts to just-in-time access. With tools like Microsoft's Privileged Identity Management, administrators request elevated permissions when they need them and lose those permissions automatically when the work is done. A compromised admin account that has no standing privileges is a much smaller problem. Roll out passkeys for your workforce. Passkey adoption crossed a tipping point in 2025. The FIDO Alliance found that 69% of users now have at least one passkey, up from 39% awareness two years prior, and 48% of the top 100 websites now support them.8 Your employees are already using this technology in their personal lives. Meeting them where they are makes rollout faster. Train your team on the attack, not just the tool. Employees should know what MFA fatigue looks like, why legitimate logins never generate ten prompts in a row, and exactly who to call when they see one. The goal is not paranoia. It is pattern recognition. Where Does MFA Fit Into Your Broader Security Strategy? Identity is the new perimeter. That phrase gets repeated to the point of cliche, but it is true: in a cloud-first, mobile-first environment, the wall around your network has dissolved. The only consistent checkpoint left is the one at the login screen. That is why identity and access management sits at the Secure stage of the Sentry Technology Maturity Model. Before a business can integrate systems at scale or innovate responsibly with AI, it has to know with confidence who is signing in, from where, with what device, and with what level of trust. Refreshing your login policies is not a cybersecurity side quest. It is the foundation that everything else is built on. Most businesses we work with thought they had already solved this. They had not. The controls they turned on in 2020 were state of the art for 2020. The attackers moved. The controls have to move with them. Frequently Asked Questions Is MFA still worth having if attackers can bypass it? Yes. MFA, even legacy MFA, still blocks the vast majority of automated attacks. Disabling it would be a disaster. The point is to upgrade from legacy MFA to phishing-resistant MFA, not to abandon the control altogether. What is the single highest-impact change we can make this quarter? Turning on number matching and moving admin accounts to phishing-resistant MFA. Those two changes eliminate the largest share of real-world attacks for the least disruption. Are passkeys ready for business use? Yes. Microsoft, Google, Apple, and every major identity provider now support passkeys in enterprise environments. The 2025 FIDO Alliance data shows mainstream adoption, and rollout tooling has matured considerably. Start with pilot groups and expand. Do we still need password policies if we move to passkeys? For the accounts that still use passwords, yes. NIST guidance now recommends long, memorable passwords and removes the old mandate to force a rotation every 90 days, which research shows actually weakens security. Pair password guidance with breach-monitoring tools that alert you when employee credentials appear in known leaks. How does this work for a business with multiple locations or franchisees? It works better. Centralized identity management with modern MFA is one of the few security controls that scales cleanly across locations. Each site does not need its own policy. Your identity platform becomes the single source of truth, and every new location inherits the protection on day one. Refreshing Your Login Policies, Together If your MFA setup has not been revisited since you first rolled it out, it is probably doing less work than you think. The attackers are counting on that. Sentry Technology Solutions helps businesses across 30+ states modernize identity and access as part of a full Technology Maturity Model engagement. If you want a clear-eyed look at where your authentication stands today and what it would take to close the gap, we can help. Start a conversation at sentryitsolutions.com. References 1. Dark Analytics. "The Rising Threat of MFA Bombing in 2025." September 29, 2025. https://www.darkanalytics.com/post/the-rising-threat-of-mfa-bombing-in-2025-understanding-and-defending-against-push-notification-fatigue 2. Security Boulevard. "The Akira Playbook: How Ransomware Groups Are Weaponizing MFA Fatigue." November 2025. https://securityboulevard.com/2025/11/the-akira-playbook-how-ransomware-groups-are-weaponizing-mfa-fatigue/ 3. Verizon. "2025 Data Breach Investigations Report." https://www.verizon.com/business/resources/reports/dbir/ 4. CISA. "Scattered Spider Advisory, Updated." July 29, 2025. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a 5. Microsoft. "Digital Defense Report 2025." https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report 6. FIDO Alliance. "World Passkey Day Research." May 1, 2025. https://fidoalliance.org/passkeys/ 7. CISA. "Implement Number Matching in MFA Applications." https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf 8. FIDO Alliance, ibid. https://fidoalliance.org/passkeys/ Dark Analytics, "The Rising Threat of MFA Bombing in 2025," September 29, 2025.↩︎ Security Boulevard, "The Akira Playbook: How Ransomware Groups Are Weaponizing MFA Fatigue," November 2025.↩︎ Verizon, "2025 Data Breach Investigations Report," 2025.↩︎ CISA, "Scattered Spider Advisory, Updated," July 29, 2025.↩︎ Microsoft, "Digital Defense Report 2025."↩︎ FIDO Alliance, "World Passkey Day Research," May 1, 2025.↩︎ CISA, "Implement Number Matching in MFA Applications" fact sheet.↩︎ FIDO Alliance, "World Passkey Day Research," May 1, 2025.↩︎
Read full post on sentrytechsolutions.comMSPdb™ News
MFA Rollout Guide for Florida Small Businesses 2026
How to roll out multi-factor authentication for your Florida small business without locking staff out — the right MFA method for each account type, common mistakes, and how to handle resistance.
How to roll out multi-factor authentication for your Florida small business without locking staff out — the right MFA method for each account type, common mistakes, and how to handle resistance.
Read full post on simplyit.biz
This Week In Cybersecurity | July 4th, 2026
This Week in Cybersecurity Each week at Applied Tech we recap the biggest cybersecurity news headlines from the week to keep you informed and ready to face the latest threats. Here’s your breakdown for the week of June 27th – July 4th! Hackers Had Months-Long Access to Kubota Network Between March and April of this
This Week in Cybersecurity Each week at Applied Tech we recap the biggest cybersecurity news headlines from the week to keep you informed and ready to face the latest threats. Here’s your breakdown for the week of June 27th – July 4th! Hackers Had Months-Long Access to Kubota Network Between March and April of this
Read full post on appliedtech.us
How IT Documentation Saves Businesses During Emergencies
A key employee is unavailable, the main server has stopped responding, and nobody knows which vendor manages the backup system. The team can see that something is wrong, but the information needed to solve it is scattered across inboxes, personal notes, and the memory of one technical employee. This is when a manageable technology issue
A key employee is unavailable, the main server has stopped responding, and nobody knows which vendor manages the backup system. The team can see that something is wrong, but the information needed to solve it is scattered across inboxes, personal notes, and the memory of one technical employee. This is when a manageable technology issue
Read full post on fantasticit.com
Business Email Compromise Florida Small Business 2026
How business email compromise works in Florida — the 4 BEC variants targeting small businesses, the process gaps attackers exploit, and the technical controls that prevent wire fraud losses.
How business email compromise works in Florida — the 4 BEC variants targeting small businesses, the process gaps attackers exploit, and the technical controls that prevent wire fraud losses.
Read full post on simplyit.biz
IT Asset and Documentation Management: The Backbone You Only Notice When It Is Missing
A small business calls their IT provider first thing Monday. The server that runs their main line-of-business application is down. The person who originally set it up left the company eight months ago. Nobody has the admin password. Nobody is sure where the backups live, or whether they have been running. Nobody knows how old
A small business calls their IT provider first thing Monday. The server that runs their main line-of-business application is down. The person who originally set it up left the company eight months ago. Nobody has the admin password. Nobody is sure where the backups live, or whether they have been running. Nobody knows how old
Read full post on harmony-msp.com
Managed IT Services Washington DC: What Federal-Adjacent Firms Should Demand in 2026
Managed IT Services Washington DC: Proven MSSP Guide 2026 Buyer’s Guide Managed IT Services Washington DC: What Federal-Adjacent Firms Should Demand in 2026 A single unpatched file-transfer server is all it takes. With CISA-flagged flaws being exploited across the DC corridor, the right managed IT services Washington DC partner keeps you patched, monitored, and audit-ready...
Managed IT Services Washington DC: Proven MSSP Guide 2026 Buyer’s Guide Managed IT Services Washington DC: What Federal-Adjacent Firms Should Demand in 2026 A single unpatched file-transfer server is all it takes. With CISA-flagged flaws being exploited across the DC corridor, the right managed IT services Washington DC partner keeps you patched, monitored, and audit-ready...
Read full post on ridgeit.com
How to Recognize an IT Partner That Can Actually Keep Up With Your Business
Choose an IT partner that offers scalable solutions, 24/7 support, strong cybersecurity, and compliance expertise to securely support your business growth and government contract needs.
Choose an IT partner that offers scalable solutions, 24/7 support, strong cybersecurity, and compliance expertise to securely support your business growth and government contract needs.
Read full post on splice.net
Cost of Cyber Attacks on Businesses and Your Bottom Line
Understanding Cyber Threats to Businesses In today’s digitally driven world, organizations face unprecedented risks from cyber attacks. The cost of cyber attacks on businesses continues to rise as organizations become more dependent on cloud platforms, remote access, SaaS applications, and interconnected third-party systems. What used to be isolated security incidents now regularly turn into
Understanding Cyber Threats to Businesses In today’s digitally driven world, organizations face unprecedented risks from cyber attacks. The cost of cyber attacks on businesses continues to rise as organizations become more dependent on cloud platforms, remote access, SaaS applications, and interconnected third-party systems. What used to be isolated security incidents now regularly turn into
Read full post on alvaka.net
Why Cybersecurity Matters This 4th of July for Businesses
The Fourth of July is a time to celebrate Independence Day across the United States, but it is also a time for businesses to think seriously about cybersecurity as their own country moves forward. While your team enjoys the holiday, cybercriminals may look for easy openings. Reduced staffing, delayed responses, and distracted employees can create
The Fourth of July is a time to celebrate Independence Day across the United States, but it is also a time for businesses to think seriously about cybersecurity as their own country moves forward. While your team enjoys the holiday, cybercriminals may look for easy openings. Reduced staffing, delayed responses, and distracted employees can create
Read full post on vcsolutions.com
Technology Planning Mistakes Small Businesses Make
Most small businesses don’t have a technology plan problem because they lack good intentions. They have one because IT decisions get made reactively, one purchase or outage at a time, until the whole setup feels held together with tape. The result is predictable: surprise costs, recurring outages, and a leadership team that finds out about…
Most small businesses don’t have a technology plan problem because they lack good intentions. They have one because IT decisions get made reactively, one purchase or outage at a time, until the whole setup feels held together with tape. The result is predictable: surprise costs, recurring outages, and a leadership team that finds out about…
Read full post on swifttechsolutions.com