{"id":651,"date":"2025-10-20T12:31:33","date_gmt":"2025-10-20T17:31:33","guid":{"rendered":"https:\/\/cmitsolutions.com\/piscataway-nj-1178\/?p=651"},"modified":"2025-10-20T12:31:53","modified_gmt":"2025-10-20T17:31:53","slug":"mfa-fatigue-in-2025","status":"publish","type":"post","link":"https:\/\/cmitsolutions.com\/piscataway-nj-1178\/blog\/mfa-fatigue-in-2025\/","title":{"rendered":"MFA-Fatigue-in-2025"},"content":{"rendered":"

MFA Fatigue Is the 2025 Breach Enabler: <\/strong><\/h1>\n

Why Push-Based MFA Is Failing North American Businesses\u2014and How to Fix It Before Insurers Raise Your Premiums<\/strong><\/span><\/h4>\n
\n

Multi-factor authentication (MFA)<\/span> remains one of the strongest defenses against account takeovers\u2014but in 2025, it\u2019s showing cracks. The rise of\u00a0MFA fatigue<\/em><\/strong>\u00a0(also known as\u00a0push bombing<\/em><\/strong><\/span>) is turning trusted security into an attacker\u2019s tool. Across North America, large organizations\u2014from airlines to financial firms\u2014are learning that simply having MFA is no longer enough.<\/p>\n

The good news: the same insurers raising standards to reflect this trend are also signaling exactly what controls stop these attacks and what documentation organizations must maintain to get paid when incidents do occur.<\/p>\n

Here we break down the latest 2025 breaches, what MFA fatigue looks like in action, how loss trends and regulatory data tie together, and concrete identity-hardening steps every business should take this year.<\/p>\n

What Is MFA Fatigue\u2014and Why It Works<\/span><\/h2>\n

In a typical attack, criminals use stolen credentials to trigger a flood of push notifications, robocalls, or one-time passcode requests. The goal: exhaust the target until they tap \u201cApprove\u201d out of annoyance or confusion. When combined with social engineering\u2014voice phishing, SIM swapping, or help-desk impersonation\u2014this bypasses weak factors almost effortlessly.<\/p>\n

Legacy MFA<\/strong> methods based on SMS<\/strong>, push notifications<\/strong>, or simple OTP codes<\/strong> can\u2019t distinguish a legitimate user from an attacker holding stolen credentials<\/strong><\/em><\/span>. By contrast, phishing-resistant MFA\u2014like FIDO2 security keys<\/strong>\u2014ties the authentication to the physical device and user verification.<\/p>\n

2025 Case Snapshots: Airlines as a Warning Sign<\/span><\/h2>\n

Hawaiian Airlines (USA)<\/strong><\/span>
\nIn June and July 2025, Hawaiian Airlines was hit by a cyberattack that disrupted IT systems and triggered regulatory alerts. Investigation reports cited MFA fatigue combined with real-time phishing as a key intrusion vector\u2014mirroring Scattered Spider\u2019s playbook. Even with strong resources, the organization\u2019s use of push-based factors created an opening that identity-layer social engineering exploited.<\/p>\n

WestJet (Canada)<\/strong><\/span>
\nWestJet\u2019s June 13th incident affected roughly 1.2 million customers, according to disclosures through October. While the airline did not explicitly confirm MFA bypass, U.S. and Canadian threat intel attributed similar campaigns in this timeframe to groups leveraging MFA fatigue, vishing, and help-desk social engineering to add attacker-controlled devices.<\/p>\n

The takeaway:<\/strong>\u00a0MFA fatigue remains an active, scalable threat\u2014especially when layered with human manipulation and weak help-desk verification.<\/p>\n

The 2025 Breach Numbers Speak for Themselves<\/span><\/h2>\n