[noirscape]

On the other side of this, push-phishing through MFA fatigue has become extremely frequently used to hack into enterprise O365 instances (as well as Google Cloud accounts and the like).

People don't generally read it when their phone apps send them a "please login" notification after the 200th one that day, they tend to approve it without thinking (or worse, accidentally approve a phishing notification while trying to login), especially when busy, which results in them letting phishers onto their device.

The DigiD login flow is a bit of a mess, but it seems very well designed to avoid that particular tendency. The entire process requires active involvement from the end-user, which means they'll be paying attention on whether it's them logging in or not.

[geraneum]

This is real and a serious threat. Both the company I work in and I (personal account) have been targeted with this specific method. I got tens of random notification pop-ups on my phone in different days and I almost approved it once. It didn’t stop until I disabled login using that specific email address altogether.

Edit: I received the notifications for Microsoft Authenticator app

[lucumo]

Wouldn't a password prompt before sending the message effectively put an end to that as well?

[Phemist]

YYMV: I'm on an OnePlus 8 using the Microsoft Authenticator App. OS update changed the PIN pad, which in turn soft-broke the M$ authenticator app's PIN lock security, rather than presenting a PIN pad to enter my PIN code, it now presents a full QWERTY keyboard... making it excedingly annoying to enter my PIN - to the point where I simply disabled the PIN lock on the app (not on my phone, obviously).

So yeah, MFA fatigue is a thing and a PIN lock on the notification is not going to survive for very long given these OEM shenanigans...

Edit: Also M$ Auth app offers no proper export of my MFA keys, so I am stuck in this walled garden :')