Menu

MFA-Fatigue-in-2025

MFA Fatigue Is the 2025 Breach Enabler:

Why Push-Based MFA Is Failing North American Businesses—and How to Fix It Before Insurers Raise Your Premiums

Multi-factor authentication (MFA) remains one of the strongest defenses against account takeovers—but in 2025, it’s showing cracks. The rise of MFA fatigue (also known as push bombing) is turning trusted security into an attacker’s tool. Across North America, large organizations—from airlines to financial firms—are learning that simply having MFA is no longer enough.

The good news: the same insurers raising standards to reflect this trend are also signaling exactly what controls stop these attacks and what documentation organizations must maintain to get paid when incidents do occur.

Here we break down the latest 2025 breaches, what MFA fatigue looks like in action, how loss trends and regulatory data tie together, and concrete identity-hardening steps every business should take this year.

What Is MFA Fatigue—and Why It Works

In a typical attack, criminals use stolen credentials to trigger a flood of push notifications, robocalls, or one-time passcode requests. The goal: exhaust the target until they tap “Approve” out of annoyance or confusion. When combined with social engineering—voice phishing, SIM swapping, or help-desk impersonation—this bypasses weak factors almost effortlessly.

Legacy MFA methods based on SMS, push notifications, or simple OTP codes can’t distinguish a legitimate user from an attacker holding stolen credentials. By contrast, phishing-resistant MFA—like FIDO2 security keys—ties the authentication to the physical device and user verification.

2025 Case Snapshots: Airlines as a Warning Sign

Hawaiian Airlines (USA)
In June and July 2025, Hawaiian Airlines was hit by a cyberattack that disrupted IT systems and triggered regulatory alerts. Investigation reports cited MFA fatigue combined with real-time phishing as a key intrusion vector—mirroring Scattered Spider’s playbook. Even with strong resources, the organization’s use of push-based factors created an opening that identity-layer social engineering exploited.

WestJet (Canada)
WestJet’s June 13th incident affected roughly 1.2 million customers, according to disclosures through October. While the airline did not explicitly confirm MFA bypass, U.S. and Canadian threat intel attributed similar campaigns in this timeframe to groups leveraging MFA fatigue, vishing, and help-desk social engineering to add attacker-controlled devices.

The takeaway: MFA fatigue remains an active, scalable threat—especially when layered with human manipulation and weak help-desk verification.

The 2025 Breach Numbers Speak for Themselves

  • Average U.S. breach cost: $10.22 million (up 9% over 2024)

  • Global average: $4.44 million

  • Human element share: ~60% of breaches (phishing, pretexting, social engineering-related MFA bypass)

Even with EDR, backups, and rapid containment, North American enterprises face eight-figure exposure when identity compromise reaches sensitive data or operational systems.

In simpler terms: if your MFA can be tricked, the financial exposure now matches the largest ransomware losses of the past decade.

How Cyber Insurers Are Responding in 2025

1. Underwriting Evolution: “Phishing-Resistant MFA Preferred”
Cyber insurers and brokers now treat MFA as a baseline—not a differentiator. To qualify for favorable terms, organizations are being nudged toward security keys and number-matching controls. Expect questionnaires to explicitly ask whether all admins and remote users are covered by phishing-resistant MFA.

2. Drop in Claim Severity—When Controls Are Mature
Allianz and other carriers report roughly a 50% drop in claim severity during H1 2025, thanks to more consistent detection, response maturity, and identity controls. Those without these standards, however, face higher sublimits and denials.

3. Risk Data Becomes Evidence
Applications and renewal packets now demand proof: MFA enforcement logs, restore-test results, help-desk scripts, EDR dashboards, and phishing-training rosters. Coverage can be reduced—or denied—if evidence isn’t ready when a claim hits.

The message is clear: it’s not enough to have security controls. You must document and maintain evidence that they’re active and enforced.

Why Business Insurance Won’t Cover Cyber Losses

Many U.S. and Canadian companies still assume general liability or BOP policies cover cyber events. In 2025, courts—including a notable Sixth Circuit ruling—affirmed that CGL policies with electronic-data exclusions cannot be used to recover cyber losses.

Real recovery—incident response, ransom negotiation, regulatory defense, and reputational damage—requires stand-alone cyber insurance. Traditional policies simply aren’t designed for this domain.

How to Stop MFA Fatigue (and Impress Your Insurer)

1. Go Phishing-Resistant Where It Counts
Deploy FIDO2/WebAuthn compatible security keys for administrators, remote logins, and privileged accounts. Pair these with conditional access based on device posture and geolocation.

2. Harden Remaining Push MFA
If any push MFA remains, enforce number-matching, limit prompt attempts, and alert or lock accounts when thresholds are exceeded. Microsoft set number-matching as default in 2025—make sure it’s in use.

3. Lock Down Your Help Desk
Standardize identity checks for MFA resets and device enrollment. Use out-of-band verification or ticket-based authentication rather than voice confirmation alone.

4. Manage Tokens Like Credentials
Monitor session behavior, revoke risky sessions, and shorten token lifetimes. In 2025, token theft emerged alongside MFA fatigue as part of a single identity threat class.

5. Maintain Structured Proof for Claims
Build a digital binder of exportable evidence—MFA enforcement screenshots, key-registration logs, backup test reports, and awareness training records. If your insurer requests documentation during a claim, you’ll be ready.

An Insurer-Aligned Quick Checklist

  • Identity: FIDO2 for admins and remote users; number matching enforced; conditional access by device and geo

  • Detection: EDR + MDR or a 24×7 SOC model

  • Backup: Immutable/offline, with quarterly restore tests and screenshots

  • Help Desk: Strict out-of-band verification for all reset or add-device requests

  • Training: Quarterly phishing and vishing simulations, including MFA-fatigue scenarios

  • Vendors: Mandatory security clauses and breach notification SLAs

  • Policy Fit: Review coverage exclusions and confirm your controls align with insurer expectations

Schedule a 30-minute Identity Risk Review – Contact CMIT Solutions today.

We’ll analyze your current MFA setup, help-desk flows, and privileged access controls against 2025 insurer standards. Within 60 days, you’ll have a roadmap to harden authentication, close social engineering gaps, and back your cyber policy with strong compliance evidence.

#CyberSecurity2025 #MFAFatigue #IdentitySecurity #CyberInsurance #DataProtection #FIDO2 #ManagedSecurity #ZeroTrust #BusinessContinuity #NorthAmericaCyber #CyberRisk #GenAI #rutgers #remba #mcrcc #mccc #newjersey #njccic #njsbdc #sbdc #njlaw #cpas #nonprofit #education #school #cmitsolutions #ExtensionSecurity #ThreatIntelligence #ZeroTrust #DataPrivacy #Phishing #Malware #CyberDefense #SecureYourData #CybersecurityTips #Tech #DigitalSafety #StaySafeOnline #Security #ClientAccountingServices #CAS #CPA #AccountingFirm #ZeroTrust #DataProtection #DisasterRecovery #CFO #ManagedIT #NJBusiness #FinanceSecurity #DataBreach

 

Back to Blog

Share:

Related Posts

From Fort Knox to Fragile Walls: Why SMB Data Security Needs an Upgrade

  From Fort Knox to Fragile Walls: Why SMB Data Security Needs…

Read More

Ransomware Attacks in New Jersey: A Six-Month Review

Ransomware Attacks in New Jersey: A Six-Month Review Introduction In the digital…

Read More

Why Cyber Insurance Companies Hesitate to Insure Small and Medium-Sized Businesses: A Risk-Averse Market

Why Cyber Insurance Companies Hesitate to Insure Small and Medium-Sized Businesses: A…

Read More