Push MFA is a multi-factor authentication method in which a user approves or denies a login request through a push notification on another device. It matters because approval-based factors are convenient but can create fatigue and social-engineering weaknesses if designed poorly.
What is Push MFA?
When a login occurs, the user receives a push notification asking whether they approve it. Push MFA can be easy to use, but it is vulnerable to prompt bombing, accidental approval, and some adversary-in-the-middle tactics if not strengthened with extra context or number matching.
What Push MFA Commonly Supports
Common uses include workforce MFA, mobile app verification, step-up authentication, and lower-friction second-factor login experiences.
Push MFA vs. Phishing-Resistant MFA
Push MFA can be stronger than password-only access but is often more phishable and fatigue-prone than hardware-backed or passkey-based methods.
Frequently Asked Questions
Why is push MFA popular?
Because it is convenient and easy for many users to understand and approve quickly.
What is the main weakness?
Repeated prompts, social engineering, and weak approval context can lead to accidental or pressured approvals.
