MFA fatigure and other login goblins

Posted on 7 2026
tl;dr:

Multi-factor authentication is one of those things that somehow manages to be both extremely sensible and deeply resented.

Ask people to approve a sign-in and you would think you had personally introduced rationing.

Some users accept it. Some tolerate it. Some behave as though the authenticator app has arrived in their life specifically to ruin their morning and insult their ancestors.

And to be fair, not all MFA implementations are created equal.

Bad MFA is annoying.
Badly timed MFA is annoying.
MFA that prompts constantly is annoying.
MFA that appears without explanation is annoying.
MFA that nobody has properly communicated is annoying with a logo.

But annoyance is not the same as uselessness.

And “I do not like it” is not a security model.

Passwords are not enough

This is the part that should no longer be controversial, and yet here we are.

Passwords get reused.
Passwords get guessed.
Passwords get phished.
Passwords get typed into fake login pages during busy afternoons when someone is trying to get through email and lunch at the same time.

People are not machines. They make mistakes.

This is why relying on passwords alone is fragile. A password is just one secret, and once that secret is known by the wrong person, the door is open.

MFA adds another layer.

It does not make compromise impossible, because nothing does. But it makes the attacker’s job much harder. It means a stolen password is not necessarily enough.

That matters.

Especially for:

  • remote access
  • cloud platforms
  • email
  • administrator accounts
  • finance systems
  • customer data
  • systems containing sensitive or operationally important information

If those systems are protected only by passwords, the organisation is choosing convenience over control.

And that choice tends to age badly.

MFA is not just an IT preference

Sometimes MFA is framed as “IT adding another hurdle”.

That misses the point.

MFA is not there because IT enjoys watching people approve push notifications.

It is there because identity has become one of the main attack paths into organisations.

A compromised account can lead to:

  • mailbox access
  • data theft
  • fraudulent requests
  • password resets
  • privilege escalation
  • lateral movement
  • supplier impersonation
  • customer impact
  • ransomware entry points

In other words, the risk is not the login prompt.

The risk is what happens when the wrong person logs in successfully.

Where MFA matters most

In an ideal world, MFA is applied consistently across all important access paths.

In the real world, start where the risk is highest.

1. Remote access

Anything that allows access from outside the organisation needs strong authentication.

VPN access, remote desktops, admin portals, cloud platforms, and externally accessible services should not be protected by password alone.

If someone can attempt access from the internet, MFA should be part of the conversation.

Preferably a very short conversation.

2. Cloud services

Cloud services are now central to how most organisations work.

Email, files, collaboration tools, CRM systems, finance platforms, ticketing systems, password managers, and admin portals often sit outside the physical office boundary.

That means identity becomes the new perimeter.

Which is a phrase people say in security circles before everyone quietly wishes for a simpler era.

But it is true.

If cloud access is not strongly protected, the business is exposed.

3. Privileged accounts

Administrative accounts need stronger protection because the consequences of compromise are higher.

A compromised normal user account is bad.

A compromised admin account is a bad afternoon wearing steel-toe boots.

Privileged accounts should have:

  • MFA
  • separate admin identity where appropriate
  • limited use
  • clear ownership
  • logging
  • regular review

Nobody should be casually browsing email and performing admin tasks from the same overpowered account like it is 2009 and consequences have not been invented yet.

4. High-risk business systems

Not all systems carry equal risk.

A system containing quality records, customer information, financial data, engineering data, traceability information, or operational workflows deserves stronger protection than a low-risk internal noticeboard.

This is where MFA needs to be risk-based, not random.

Why people resist MFA

People do not usually resist MFA because they love cyber risk.

They resist it because the rollout is often poor.

Common mistakes include:

  • no clear explanation
  • confusing enrolment
  • inconsistent enforcement
  • too many prompts
  • no support for lost or changed phones
  • unclear rules for remote workers
  • no distinction between normal and admin access
  • exceptions that make the whole thing feel optional

If MFA appears suddenly with no context, people experience it as friction.

If it is explained properly, supported properly, and configured sensibly, it becomes normal.

Still mildly annoying at times, yes.

But normal.

Lots of sensible things are mildly annoying. Seatbelts. Alarms. Expense systems. Printers existing.

MFA fatigue is real

There is also a real issue called MFA fatigue.

This happens when users receive too many prompts and start approving them automatically.

That is bad.

Because if an attacker has a password and triggers repeated MFA prompts, a tired or distracted user may eventually approve one just to make the noise stop.

This is why MFA has to be designed properly.

Good controls include:

  • reducing unnecessary prompts
  • using number matching where available
  • educating users not to approve unexpected prompts
  • reporting suspicious MFA activity
  • monitoring repeated denied or ignored prompts
  • using conditional access where appropriate

The goal is not simply to have MFA.

The goal is to have MFA that actually improves security.

MFA does not remove the need for good passwords

This is another little trap.

MFA is not a permission slip to have terrible passwords.

You still need:

  • unique passwords
  • good password length
  • no password reuse
  • secure storage
  • prompt resets after compromise
  • password managers where appropriate
  • no shared credentials

MFA is a layer.

It is not a magic blanket.

If your password is Swagelok2024! and your MFA is a tired user approving every push notification like they are clearing cookie banners, you still have work to do.

Good MFA is usable MFA

Security controls work better when people can live with them.

That does not mean making everything optional. It means designing the control properly.

Good MFA should be:

  • clearly explained
  • easy to enrol in
  • enforced consistently
  • supported by IT
  • recoverable if a device is lost
  • stronger for privileged access
  • quieter when risk is low
  • more demanding when risk is high

This is where security and usability need to stop throwing cutlery at each other.

The best MFA setup is one where most users barely think about it, but attackers have a much worse day.

What good looks like

A mature MFA approach usually includes:

Clear scope

The organisation knows which systems require MFA and why.

Consistent enforcement

MFA is not optional depending on who shouts loudest.

Stronger protection for administrators

Privileged access gets extra care because the risk is higher.

User guidance

People know how to enrol, what to expect, and what to do if something looks suspicious.

Exception handling

Any exceptions are documented, justified, time-bound, and reviewed.

Monitoring

Suspicious sign-in attempts and MFA activity are reviewed.

Recovery process

Lost phones, new phones, and access issues are handled without turning every Monday morning into a queue of despair.

How to improve MFA without starting a riot

The trick is to treat MFA as a service change, not just a security switch.

Step 1: Explain the why

Tell people what MFA protects.

Not in abstract terms. Be specific:

  • email
  • customer data
  • business systems
  • remote access
  • admin accounts

People accept controls more easily when they understand the risk.

Step 2: Start with high-risk access

Remote access, cloud services, and admin accounts first.

Step 3: Make enrolment simple

Clear instructions. Screenshots. Support. No treasure hunt.

Step 4: Reduce unnecessary prompts

If MFA prompts constantly, people stop treating them seriously.

Step 5: Teach people what not to approve

Unexpected prompt? Do not approve it. Report it.

Simple. Vital.

Step 6: Review exceptions

Temporary MFA exceptions have the same energy as temporary admin access. We have discussed this. It does not end well.

Final thought

MFA is not a personality trait.

It is not a lifestyle choice.
It is not a personal attack.
It is not IT being dramatic for sport.

It is a practical control that helps stop compromised credentials becoming compromised systems.

The aim is not to make access painful.

The aim is to make access trustworthy.

And if that means approving a sign-in now and then, civilisation will probably survive.