Security teams have no visibility into which users are blindly approving MFA prompts, creating a major attack vector despite having MFA deployed.
Agent that integrates with identity providers (Entra ID, Okta, Duo) to analyze MFA approval speed, location mismatches, and behavioral patterns, flagging users who approve prompts suspiciously fast or without context. Generates risk scores and triggers retraining or policy changes.
SaaS subscription tiered by number of monitored users
The pain is real and well-documented — the Reddit thread with 180 upvotes and 105 comments confirms security teams feel it. High-profile breaches (Uber, MGM, Cisco) were caused by MFA fatigue. However, most security teams treat it as a 'known problem' they accept rather than actively solving. It's a simmering pain, not a hair-on-fire emergency for most orgs until they get breached. Pain intensity increases dramatically post-incident.
TAM is mid-market to enterprise security teams with 500+ employees using push-based MFA. Roughly 50K-100K qualifying organizations globally. At $2-5/user/month and average 2K monitored users, that's ~$50K ARR per customer, suggesting a $2.5B-$5B addressable market. However, realistic serviceable market is much smaller — this is a niche within identity security. Many orgs will solve this with existing tools or phishing-resistant MFA (FIDO2/passkeys) rather than buying a new product. Passkey adoption is the long-term market headwind.
This is the weakest dimension. Security teams have budget, but this product competes for dollars against broader ITDR platforms, SIEM upgrades, and phishing-resistant MFA rollouts — all of which partially address the same problem. Hard to justify a standalone purchase when Entra ID P2 or Okta's premium tier includes some MFA fatigue detection. The 'analytics and scoring' angle is differentiated but feels like a nice-to-have reporting layer, not a must-have security control. Buyers will ask: 'Why not just deploy FIDO2 keys instead?'
A solo dev can build an MVP that integrates with one IdP (Okta or Entra ID) in 6-8 weeks via their well-documented APIs. The core analytics (approval speed, location mismatch, time patterns) are straightforward statistical analysis, not deep ML. However, challenges include: API rate limits and log ingestion at scale, getting meaningful behavioral baselines requires weeks of data collection before generating value, multi-IdP support multiplies integration work significantly, and enterprise auth environments are messy (hybrid AD, multiple IdPs, federated identity). An MVP scoped to one IdP with basic scoring is feasible; production-grade multi-IdP is a 6+ month effort.
Clear whitespace exists — no one offers dedicated MFA behavioral analytics with org-level risk scoring. Every competitor treats MFA fatigue as one feature in a broader platform. The gap is real in three areas: (1) proactive identification of rubber-stamp approvers BEFORE an attack, (2) organizational MFA health posture scoring, (3) executive-ready MFA risk reporting. However, this gap exists partly because incumbents could easily build this as a feature — the moat is shallow. Microsoft, Okta, or CrowdStrike could ship a competing dashboard in one quarter.
Strong subscription fit. Continuous monitoring requires ongoing data ingestion and analysis. Risk scores and behavioral baselines improve over time, creating switching costs. Security compliance requires ongoing evidence. Tiered pricing by monitored users scales naturally with customer growth. Usage-based upsells (more IdP integrations, longer data retention, advanced analytics) provide expansion revenue paths.
- +Clear whitespace — no dedicated product exists for MFA behavioral analytics and organizational MFA risk scoring
- +Validated pain with real-world breaches (Uber, MGM, Cisco) and strong community signal (180+ upvotes, 105 comments)
- +Regulatory tailwinds — SEC disclosure rules, NIS2, and CISA guidance are forcing boards to quantify identity risk
- +Natural subscription model with usage-based expansion and improving-over-time value prop
- +Complementary positioning (sits on top of existing IdPs/SIEMs) avoids direct competition with incumbents
- !Phishing-resistant MFA (FIDO2/passkeys) adoption could eliminate the problem entirely within 3-5 years, shrinking the market
- !Shallow moat — Microsoft, Okta, or CrowdStrike could ship this as a feature in one quarter, and they own the data
- !Enterprise sales cycle is 3-6 months with procurement, security review, and legal — slow path to revenue for a solo founder
- !Willingness to pay for analytics/reporting layer is unproven when core detection exists in platforms customers already own
- !Requires meaningful data collection period (weeks) before generating value — weak time-to-value for trials
Risk-based conditional access and sign-in risk detection within the Microsoft identity ecosystem. Flags repeated MFA prompt failures and added number matching to combat MFA fatigue.
Continuous post-authentication risk evaluation detecting anomalous MFA behavior, session hijacking, and identity threats within the Okta ecosystem.
ITDR platform providing real-time identity threat detection, lateral movement detection, and conditional access. Detects MFA fatigue as part of broader identity attack patterns with endpoint correlation.
Agentless ITDR platform providing MFA enforcement and identity threat detection across all authentication protocols including legacy systems, service accounts, AD, LDAP, Kerberos, RADIUS, and cloud IdPs.
SIEM platforms with built-in or community detection rules for MFA fatigue attacks. Can ingest MFA logs from multiple IdPs and trigger SOAR playbooks. Sentinel has specific analytic rules; Splunk has community-contributed detections.
Single-IdP integration (Okta or Entra ID, pick one). Ingest MFA push event logs via API. Calculate per-user metrics: average approval speed, approval-without-interaction rate, location mismatch frequency, time-of-day anomalies. Generate a simple risk score (1-100) per user. Dashboard showing top 20 riskiest users, org-wide MFA health score, and one-click 'schedule retraining' action. Weekly email digest to security team leads. Skip multi-IdP, skip ML, skip SOAR integration. Prove the insight is valuable before building the platform.
Free tier: connect one IdP, monitor up to 50 users, basic risk scores, 7-day data retention → Starter ($3/user/month): up to 500 users, 30-day retention, weekly reports, Slack/Teams alerts → Pro ($5/user/month): unlimited users, 90-day retention, department-level scoring, API access, compliance reports → Enterprise ($8/user/month): multi-IdP, SIEM integration, custom policies, SOAR playbooks, dedicated support, annual contracts
3-5 months. Month 1-2: build MVP with single IdP integration. Month 2-3: deploy with 5-10 design partners (security teams from your network or Reddit/community outreach). Month 3-4: iterate based on feedback, prove value with case studies. Month 4-5: convert design partners to paid, launch publicly. Enterprise sales cycles will push larger deals to month 6-9.
- “users just approve MFA prompts without really checking”
- “approvals become automatic”
- “defeats the purpose if approvals become automatic”
- “users are WAAAY past the point of authentication fatigue”