The CyberSnacks
Back to Snacks

Microsoft 365

Why MFA prompts can still be dangerous

MFA is one of the best everyday security controls, but a prompt is still a decision point. The safest habit is to approve only what you started.

Read time

5 min read

Status

Published May 18, 2026

MFA makes stolen passwords much less useful, but it does not remove every risk. Attackers know that people get busy, distracted, or tired of repeated prompts.

The goal is not to fear MFA. The goal is to treat every prompt as a small security checkpoint.

1. MFA proves a sign-in was approved, not that it was safe

Multi-factor authentication is a strong protection, but it still depends on the user making a good decision. If someone approves a prompt they did not request, the attacker may get the access they were waiting for.

Example: you receive a push notification at night that says someone is trying to sign in. If you tap approve just to clear the notification, you may be approving a stolen password attempt.

2. Repeated prompts can wear people down

Attackers sometimes trigger many sign-in attempts in a short period. This is often called MFA fatigue because the goal is to make the prompt feel annoying instead of suspicious.

A normal MFA prompt should match something you are doing right now. If the request appears when you are not signing in, treat it as a warning instead of a routine notification.

3. Number matching helps, but only if you read the screen

Some MFA systems ask you to type a number shown on the sign-in page. This is safer than a simple approve button, but it still needs attention.

If someone calls, messages, or pressures you to read out or enter a number, stop. The number is meant to connect your real sign-in screen to your approval prompt, not to help someone else log in.

Prompt safety checklist

  • Only approve MFA prompts you started yourself.
  • Deny unexpected prompts instead of ignoring them.
  • Report repeated or unusual prompts to your IT or security contact.
  • Read the app name, location, and sign-in details when they are shown.
  • Never share MFA codes or number-matching values with another person.
  • Change your password if you approved a prompt by mistake.

Final Takeaway

Approve actions, not surprises.

MFA is powerful when the prompt matches something you are doing. If it appears out of nowhere, deny it, report it, and assume someone may already know your password.