Updated: 16 Apr 2026
Cisco Duo prevents MFA fatigue attacks through a feature called Verified Push. It requires the user to enter a number displayed on the login screen into the Duo Mobile app before access is granted. An attacker sending repeated push notifications remotely cannot complete this step. The attack fails.
MFA fatigue is not a sophisticated technique. An attacker with a stolen password sends push approval requests repeatedly, sometimes dozens in succession, until an exhausted user approves one. It is the documented method behind the 2022 Uber breach and the 2023 MGM Resorts incident. Neither required breaking MFA. Both required abusing the standard push notification model.
Standard push notification treats user approval as proof of identity. Verified Push does not. It treats a correctly entered number match as proof that the person approving the request is physically present at the device initiating the login.
For Indian enterprises, this distinction matters for two reasons.
First, RBI Authentication Directions 2025 require factor independence. A push notification delivered to the same device used to initiate the transaction does not satisfy this requirement. Verified Push, combined with a separate login device, does.
Second, CERT-In CISG-2025-02 requires MFA for all remote access. A deployment that uses standard push for remote access remains vulnerable to fatigue attacks. Verified Push removes that vulnerability.
Cisco Duo also offers FIDO2 hardware security keys and platform biometrics as phishing-resistant alternatives to push notification entirely.
Proactive Data Systems, a Cisco Preferred Security Partner, configures Verified Push as the default for privileged accounts in every Cisco Duo deployment across Indian enterprise environments.
We'll get back to you shortly.
