CISA | DEFEND TODAY, SECURE TOMORROW
Implementing Number Matching in MFA Applications
@CISAgov | @cyber | @uscert_gov
Linkedin.com/company/cisagov
THE PROBLEM
Cyber threat actors who have obtained a user’s password know they can enter it into an identity platform that
uses mobile push-notification-based MFA to generate hundreds of prompts on the user’s device over a short
period of time.
1
This activity understandably annoys the user, who may—accidentally or from MFA fatigue—
press accept to stop the prompts. Alternatively, the prompts may confuse the user, who may assume one of
the requests is legitimate and approve. As a result of any of these possible scenarios, the user unknowingly
grants the cyber threat actor access to their account.
MITIGATION
As stated above, if an organization that uses mobile push-notification-based MFA is unable to implement
phishing-resistant MFA, CISA recommends enabling “number matching” on MFA configurations to prevent MFA
fatigue. Number matching is a setting that forces the user to enter numbers from the identity platform into
their app to approve the authentication request. Figures 3 and 4 provide the user’s view of an identity platform
login screen that uses number matching.
Figure 3: Azure AD Number Matching Prompt
Figure 4: Microsoft Authenticator Number Matching Prompt
The number matching requirement mitigates MFA fatigue by:
• Requiring access to the login screen to approve requests. Users cannot approve requests without
entering the numbers on the login screen.
• Discouraging prompt spam. Each prompt generates a unique set of numbers for every login request. As
the user cannot accept the prompts without knowing the numbers, generating multiple prompts is not
effective.
MFA vendors support number matching features under a variety of brand names. A few common examples:
• Microsoft Number Matching – Use number matching in multifactor authentication (MFA) notifications
(Preview) - Azure Active Directory - Microsoft Entra | Microsoft Docs
• Duo Verified Push – Duo Administration - Policy & Control | Duo Security
• Okta TOTP – https://help.okta.com/oie/en-us/Content/Topics/identity-
engine/authenticators/configure-okta-verify-options.htm
1
Threat actors could acquire a user’s password via password spraying, a password dump from a compromised site, or other methods.