Exploring How User Fatigue Turns Security Controls into Vulnerabilities

Written By Tim Barrow

Every Click Counts Until It Doesn’t 

Multi Factor Authentication (MFA) was meant to stop breaches cold. In practice it is becoming one of the most exploited human interfaces in modern security. 

The Verizon Data Breach Investigations Report 2024 (DBIR) found that the human element was a component in 68% of breaches.

 

The Irony of Protection 

When every login triggers a prompt people stop thinking; they start approving. Attackers know this. They flood users with MFA requests until one is approved out of habit distraction or exhaustion. The promise of MFA remains valid, but the way it is implemented creates new risk. 

 

The Psychology Behind Fatigue 

Humans crave rhythm and relief. When security tools break flow the brain seeks shortcuts. 

Common patterns include: 

  • Alert desensitisation — repeated prompts blend into background noise. 

  • Automation bias — users trust systems implicitly (“it must be safe”). 

  • Stress response — the constant verification increases anxiety and decreases accuracy. 

Awareness training explains why MFA matters, but design determines whether it is usable. 

 

Case Studies: When Good Controls Go Bad 

1. Contractor prompt-bombing scenario  
Attackers targeted a third-party user and sent repeated MFA push notifications until one was accepted. 

 Human factor: fatigue and unchallenged convenience. 
Design response: introduce phishing‐resistant authentication (e.g., passkeys or FIDO2), limit prompt volumes and set trusted device lifetimes. 

2. Admin reset bypass scenario  
A help-desk responded to what appeared a valid request and reset credentials without strong identity proof. 

 Human factor: helpful support staff lacking verification discipline. 
Design response: step-up verification for admin actions, dual control for privileged resets, audit logging of support credentials. 

Designing MFA That Works With People 

Security succeeds when it respects attention spans rather than override them. 

Practical design principles: 

  1. Friction when it matters most: trigger additional checks only on high‐risk activity (new device location abnormal behaviour). 

  1. Device trust loops: bind MFA to known devices for a defined period and review regularly. 

  1. Session awareness: monitor for anomalous session behaviour and reduce reliance on frequent MFA prompts. 

  1. Positive feedback: confirm secure actions with success signals, not alarm, so that users build confidence rather than fatigue. 

 

The Behaviour; Design Loop Revisited 

Educate: Explain why fatigue can turn MFA into a weakness. 
Engineer: Reduce unnecessary prompts and use risk context to approve safe flows. 
Encourage: Reward users who report unusual prompts or suspicious activity, not just the ones who never make mistakes. 

 

Culture Still Matters 

Employees should feel empowered to say: 

“I am getting repeated MFA prompts….is this expected?” 

If the response is “Just approve and move on,” the issue is cultural not technical. A culture that questions is still one of the strongest controls. 

 

Closing Reflection 

Every click is a decision point. When security design overloads people we create new attack surfaces in the name of protection. True resilience comes from security that aligns with human behaviour not fights it. 

 

If this resonates, explore how your organisation can design access that protects without fatigue through thoughtful architecture and human-centric policy. 

 

👉 Learn more about how our Security & Risk Management services bring resilience by design. 

Tim Barrow
Next

Featured in The Telegraph Finance and Business Guide: How AI-Powered Attacks Are Bypassing Your Security