Your IT guy retiring? Time for an IT team.
Discover leading Managed IT Service Providers across USA, Canada & the United Kingdom.
- 100s of leading MSPs
- Find a MSP near you
- Latest IT news for SMBs
MFA Fatigue: Why Your Login Policies Need a Refresh
MFA fatigue attacks succeed by spamming users with push notifications until someone approves one just to make it stop. In 2026, traditional MFA is no longer enough on its own. Businesses need phishing-resistant methods like passkeys, number matching, and Conditional Access policies to stop identity-based breaches before they start. You rolled out multi-factor authentication years ago. You checked the compliance box. You told your team to stop complaining about the extra step. And for a while, that was enough. It is not anymore. The attackers have adapted. MFA is still one of the most impo
MFA fatigue attacks succeed by spamming users with push notifications until someone approves one just to make it stop. In 2026, traditional MFA is no longer enough on its own. Businesses need phishing-resistant methods like passkeys, number matching, and Conditional Access policies to stop identity-based breaches before they start. You rolled out multi-factor authentication years ago. You checked the compliance box. You told your team to stop complaining about the extra step. And for a while, that was enough. It is not anymore. The attackers have adapted. MFA is still one of the most important controls a business can deploy, but the version most companies are running in 2026 was designed for threats that no longer dominate the landscape. If your login policies have not been reviewed since you first turned MFA on, you have a gap that criminals are actively pricing into their business model. Here is what changed, and what to do about it. What Is an MFA Fatigue Attack? An MFA fatigue attack (sometimes called MFA bombing or push-notification spamming) is a social engineering technique that targets the approve button on your phone rather than your password. The attacker already has your password. That part is not the hard step. With 3.8 billion credentials leaked in the first half of 2025 alone,1 stolen passwords are a commodity. What the attacker needs is your MFA approval. So they log in repeatedly and trigger dozens of push notifications to your phone. Ten prompts. Twenty. Fifty. Late at night, during a meeting, in the middle of a workout. Eventually most people tap Approve just to make the buzzing stop, or because they assume it is a glitch, or because they think they must have forgotten they were logging in somewhere. That single tap is the breach. Why Is Traditional MFA Failing in 2026? Because the threat model it was built for has shifted. Three data points tell the story. First, MFA is no longer a silver bullet against modern intrusions. Incident response teams report that 79% of business email compromise victims they investigated in 2024 and 2025 had MFA enabled at the time of the breach.2 The attacker got in anyway. Second, credentials are still the weakest link in the chain. The 2025 Verizon Data Breach Investigations Report found that stolen credentials were the initial access vector in 22% of breaches, and that 88% of attacks against basic web applications involved stolen credentials.3 In the same report, the median daily share of credential stuffing attempts across enterprise authentication logs was 19%. One in every five login attempts Verizon saw was an attacker trying keys they already had. Third, ransomware crews have productized MFA fatigue. Groups like Scattered Spider, Muddled Libra, and Akira now treat push bombing as a standard opening move. CISA updated its advisory on Scattered Spider in July 2025 specifically to emphasize that modern intrusions often begin with identity compromise rather than malware.4 The tooling your team uses to sign in every day is the front door, and the lock has been picked. What Makes Phishing-Resistant MFA Different? Not all MFA is created equal. Regulators, Microsoft, and CISA now draw a sharp line between legacy MFA (SMS codes, one-time passwords, basic push approval) and phishing-resistant MFA (FIDO2 security keys, passkeys, Windows Hello for Business, certificate-based authentication). The difference is cryptographic. Phishing-resistant methods bind the authentication to the specific site or service you are actually trying to reach. An attacker cannot trick you into approving a login to their fake page because the key refuses to sign the wrong domain. There is nothing to fatigue, nothing to type into the wrong box, nothing to forward by accident. Microsoft's 2025 Digital Defense Report is blunt about it: phishing-resistant MFA stops more than 99% of identity-based attacks even when the adversary already has valid credentials.5 The FIDO Alliance reports a 95%+ reduction in credential-based attacks for organizations that roll out passkeys, along with a 93% login success rate compared to 63% for traditional methods.6 In plain terms: it is more secure and less painful to use. That combination is rare. How Should Your Login Policies Change Right Now? You do not have to rip out your current MFA to close this gap. You need to layer on top of it and tune what is already there. A practical 90-day refresh looks like this. Turn off basic push approval for high-privilege accounts. Anyone with admin rights, access to financial systems, or reach into sensitive data should be on phishing-resistant MFA. No exceptions for executives who find it inconvenient. Enable number matching across the board. If you cannot deploy phishing-resistant MFA everywhere tomorrow, turn on number matching in Microsoft Authenticator (or your equivalent) as an interim measure. CISA recommends this as one of the best short-term mitigations for push fatigue.7 Users have to type a number from the login screen into their phone, which breaks the reflex-approve loop. Deploy Conditional Access policies that adapt to risk. Require stronger authentication when the sign-in is coming from an unusual location, an unmanaged device, or after hours. Block legacy authentication protocols that cannot support modern MFA at all. Move admin accounts to just-in-time access. With tools like Microsoft's Privileged Identity Management, administrators request elevated permissions when they need them and lose those permissions automatically when the work is done. A compromised admin account that has no standing privileges is a much smaller problem. Roll out passkeys for your workforce. Passkey adoption crossed a tipping point in 2025. The FIDO Alliance found that 69% of users now have at least one passkey, up from 39% awareness two years prior, and 48% of the top 100 websites now support them.8 Your employees are already using this technology in their personal lives. Meeting them where they are makes rollout faster. Train your team on the attack, not just the tool. Employees should know what MFA fatigue looks like, why legitimate logins never generate ten prompts in a row, and exactly who to call when they see one. The goal is not paranoia. It is pattern recognition. Where Does MFA Fit Into Your Broader Security Strategy? Identity is the new perimeter. That phrase gets repeated to the point of cliche, but it is true: in a cloud-first, mobile-first environment, the wall around your network has dissolved. The only consistent checkpoint left is the one at the login screen. That is why identity and access management sits at the Secure stage of the Sentry Technology Maturity Model. Before a business can integrate systems at scale or innovate responsibly with AI, it has to know with confidence who is signing in, from where, with what device, and with what level of trust. Refreshing your login policies is not a cybersecurity side quest. It is the foundation that everything else is built on. Most businesses we work with thought they had already solved this. They had not. The controls they turned on in 2020 were state of the art for 2020. The attackers moved. The controls have to move with them. Frequently Asked Questions Is MFA still worth having if attackers can bypass it? Yes. MFA, even legacy MFA, still blocks the vast majority of automated attacks. Disabling it would be a disaster. The point is to upgrade from legacy MFA to phishing-resistant MFA, not to abandon the control altogether. What is the single highest-impact change we can make this quarter? Turning on number matching and moving admin accounts to phishing-resistant MFA. Those two changes eliminate the largest share of real-world attacks for the least disruption. Are passkeys ready for business use? Yes. Microsoft, Google, Apple, and every major identity provider now support passkeys in enterprise environments. The 2025 FIDO Alliance data shows mainstream adoption, and rollout tooling has matured considerably. Start with pilot groups and expand. Do we still need password policies if we move to passkeys? For the accounts that still use passwords, yes. NIST guidance now recommends long, memorable passwords and removes the old mandate to force a rotation every 90 days, which research shows actually weakens security. Pair password guidance with breach-monitoring tools that alert you when employee credentials appear in known leaks. How does this work for a business with multiple locations or franchisees? It works better. Centralized identity management with modern MFA is one of the few security controls that scales cleanly across locations. Each site does not need its own policy. Your identity platform becomes the single source of truth, and every new location inherits the protection on day one. Refreshing Your Login Policies, Together If your MFA setup has not been revisited since you first rolled it out, it is probably doing less work than you think. The attackers are counting on that. Sentry Technology Solutions helps businesses across 30+ states modernize identity and access as part of a full Technology Maturity Model engagement. If you want a clear-eyed look at where your authentication stands today and what it would take to close the gap, we can help. Start a conversation at sentryitsolutions.com. References 1. Dark Analytics. "The Rising Threat of MFA Bombing in 2025." September 29, 2025. https://www.darkanalytics.com/post/the-rising-threat-of-mfa-bombing-in-2025-understanding-and-defending-against-push-notification-fatigue 2. Security Boulevard. "The Akira Playbook: How Ransomware Groups Are Weaponizing MFA Fatigue." November 2025. https://securityboulevard.com/2025/11/the-akira-playbook-how-ransomware-groups-are-weaponizing-mfa-fatigue/ 3. Verizon. "2025 Data Breach Investigations Report." https://www.verizon.com/business/resources/reports/dbir/ 4. CISA. "Scattered Spider Advisory, Updated." July 29, 2025. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a 5. Microsoft. "Digital Defense Report 2025." https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report 6. FIDO Alliance. "World Passkey Day Research." May 1, 2025. https://fidoalliance.org/passkeys/ 7. CISA. "Implement Number Matching in MFA Applications." https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf 8. FIDO Alliance, ibid. https://fidoalliance.org/passkeys/ Dark Analytics, "The Rising Threat of MFA Bombing in 2025," September 29, 2025.↩︎ Security Boulevard, "The Akira Playbook: How Ransomware Groups Are Weaponizing MFA Fatigue," November 2025.↩︎ Verizon, "2025 Data Breach Investigations Report," 2025.↩︎ CISA, "Scattered Spider Advisory, Updated," July 29, 2025.↩︎ Microsoft, "Digital Defense Report 2025."↩︎ FIDO Alliance, "World Passkey Day Research," May 1, 2025.↩︎ CISA, "Implement Number Matching in MFA Applications" fact sheet.↩︎ FIDO Alliance, "World Passkey Day Research," May 1, 2025.↩︎
Read full post on sentrytechsolutions.comMSPdb™ News
The Hidden Risks of Delaying Technology Upgrades
Technology is constantly evolving, and businesses that postpone essential upgrades often expose themselves to unnecessary operational and security risks. While delaying an upgrade may seem like a way to save money in the short term, delaying technology upgrades can lead to higher maintenance costs, increased downtime, cybersecurity vulnerabilities, and reduced employee productivity. Keeping your IT infrastructure up…
Technology is constantly evolving, and businesses that postpone essential upgrades often expose themselves to unnecessary operational and security risks. While delaying an upgrade may seem like a way to save money in the short term, delaying technology upgrades can lead to higher maintenance costs, increased downtime, cybersecurity vulnerabilities, and reduced employee productivity. Keeping your IT infrastructure up…
Read full post on swifttechsolutions.com
Thank You for Helping Us Land #71 on the MSP 501 List!
We're thrilled to share some exciting news: we've officially been ranked #71 on the 2026 MSP 501 list! This recognition is one of the most prestigious honors in the managed
We're thrilled to share some exciting news: we've officially been ranked #71 on the 2026 MSP 501 list! This recognition is one of the most prestigious honors in the managed
Read full post on dpctechnology.com
Claude for Small Business Is Here: What It Means for Growing Companies
Claude AI now works inside QuickBooks, HubSpot, Microsoft 365, and more. Learn how growing businesses can safely automate real work with AI agents.
Claude AI now works inside QuickBooks, HubSpot, Microsoft 365, and more. Learn how growing businesses can safely automate real work with AI agents.
Read full post on snaptechit.com
How Do Summer Cybersecurity Risks Impact Business Continuity?
Business continuity can take a significant hit when summer cybersecurity risks create monitoring gaps, delayed responses, and reduced oversight. To keep things running smoothly, systems must be monitored consistently, team members should be aware of their incident response roles, and procedures for escalation and recovery should have been thoroughly tested beforehand. Organizations minimize disruptions and support business continuity during staff vacations by maintaining 24/7 oversight, even when internal staff are on vacation or coverage gaps arise.
Business continuity can take a significant hit when summer cybersecurity risks create monitoring gaps, delayed responses, and reduced oversight. To keep things running smoothly, systems must be monitored consistently, team members should be aware of their incident response roles, and procedures for escalation and recovery should have been thoroughly tested beforehand. Organizations minimize disruptions and support business continuity during staff vacations by maintaining 24/7 oversight, even when internal staff are on vacation or coverage gaps arise.
Read full post on coretechllc.com
Is Your IT Provider Helping You Grow, or Holding You Back?
Your IT support might be slowing you down instead of speeding you up. Learn the red flags of reactive service and how switching to a proactive partner can unlock real business growth.
Your IT support might be slowing you down instead of speeding you up. Learn the red flags of reactive service and how switching to a proactive partner can unlock real business growth.
Read full post on grittechs.com
AI Customer Journey Insights: 9 AI Strategies for Business Growth
AI customer journey insights are helping organizations better understand customer behavior, improve engagement, and increase conversions. As AI adoption continues to accelerate across the United States, businesses are using artificial intelligence to analyze customer interactions across websites, email, social media, CRM platforms, and support channels. Instead of relying on historical reports, AI delivers real-time insights...
AI customer journey insights are helping organizations better understand customer behavior, improve engagement, and increase conversions. As AI adoption continues to accelerate across the United States, businesses are using artificial intelligence to analyze customer interactions across websites, email, social media, CRM platforms, and support channels. Instead of relying on historical reports, AI delivers real-time insights...
Read full post on fogosolutions.com
Deepfakes in Healthcare: How to Protect Your Practice
Deepfakes in healthcare let criminals impersonate doctors, administrators, and vendors using fake voices and videos. Practice administrators face wire transfer scams, prescription fraud, and patient data theft when they can't tell real calls from AI-generated fakes. Healthcare practices handle sensitive patient data, insurance payments, and controlled substance orders daily. Deepfake scams can copy trusted voices and pressure administrators into sending fake wire transfers, exposing protected health information (PHI), or changing vendor payment details. For more than 20 years, Intelligent
Deepfakes in healthcare let criminals impersonate doctors, administrators, and vendors using fake voices and videos. Practice administrators face wire transfer scams, prescription fraud, and patient data theft when they can't tell real calls from AI-generated fakes. Healthcare practices handle sensitive patient data, insurance payments, and controlled substance orders daily. Deepfake scams can copy trusted voices and pressure administrators into sending fake wire transfers, exposing protected health information (PHI), or changing vendor payment details. For more than 20 years, Intelligent Technical Solutions (ITS) has helped healthcare organizations protect patient data and reduce fraud risk. We understand the unique pressures practice administrators face as they balance patient care operations with evolving security threats. In this article, we've invited Cody Canon, ITS Director of Healthcare IT, to explain how deepfakes target healthcare practices and what administrators can do to protect their operations. You will learn: What are deepfakes in healthcare, and how do they work? How can practice administrators spot deepfake attacks? What security steps prevent deepfake fraud in healthcare practices? What Are Deepfakes in Healthcare, and How Do They Work? Deepfakes use artificial intelligence (AI) to create fake audio or video that sounds and looks like a real person. In healthcare, criminals use this technology to impersonate doctors, practice managers, CFOs, and trusted vendors. These tools have become easier to access. Attackers can copy a voice using short clips from voicemails, conference calls, or public videos. Some voice cloning tools need only around 15 seconds of someone's voice to create a convincing fake. Common Healthcare Deepfake Attacks Below are some of the most common ways deepfakes are used to scam healthcare organizations:
Read full post on itsasap.com
What Is a Cyber Resilience Framework?
The primary objective of cybersecurity has traditionally been preventing attacks. While prevention remains essential, today’s threat landscape has made one thing clear: even organizations with mature security programs can experience cyber incidents. Ransomware attacks, insider…
The primary objective of cybersecurity has traditionally been preventing attacks. While prevention remains essential, today’s threat landscape has made one thing clear: even organizations with mature security programs can experience cyber incidents. Ransomware attacks, insider…
Read full post on thrivenextgen.com
Simeon Rinkenberger—Helping Clients Shift to AI for Their Business Solutions
As the AI Success Manager at Pearl Technology, Simeon Rinkenberger works with clients to help them see the value of artificial intelligence as a tool that empowers their day-to-day operations and helps to solve real-world problems. How He Serves Working from the Peoria Heights headquarters, Simeon joined the team in February 2026. His role is
As the AI Success Manager at Pearl Technology, Simeon Rinkenberger works with clients to help them see the value of artificial intelligence as a tool that empowers their day-to-day operations and helps to solve real-world problems. How He Serves Working from the Peoria Heights headquarters, Simeon joined the team in February 2026. His role is
Read full post on pearltechnology.com
Maximize Financial Benefits for Your Legal Firm’s IT Needs
Your legal firm depends on technology every day, from document access to communication, security, and case workflows. When those tools are managed well, the financial benefits are clear. You can reduce avoidable costs, protect billable time, and keep business operations moving without disruption. That matters in a field where delays affect both clients and revenue.
Your legal firm depends on technology every day, from document access to communication, security, and case workflows. When those tools are managed well, the financial benefits are clear. You can reduce avoidable costs, protect billable time, and keep business operations moving without disruption. That matters in a field where delays affect both clients and revenue.
Read full post on vcsolutions.com