Number matching prompts to combat MFA fatigue attacks
Last year, the Cybersecurity and Infrastructure Security Agency (CISA) published new guidance to raise awareness of a new threat, multi-factor authentication (MFA) fatigue, and how organisations can protect themselves through number matching. We’ll introduce number matching on:
- Microsoft Authenticator on Tuesday 7 February
- Duo Mobile on Tuesday 14 February
This blog details why the change has been introduced and how this affects students and staff at the University.
What is an MFA fatigue attack?
Since the move to homeworking and hybrid working, corporate and University emails have been a continuous target for cybercriminals. Despite the introduction of multi-factor authentication to add an additional layer of protection, hackers are using new techniques to bypass our cyber defences.
Once obtaining your password through a successful phishing attempt or password guessing, a cybercriminal will bombard you with hundreds of push notifications, text, or phone calls. They’ll continue to harass you with notifications until you accidentally hit approve by mistake.
How can number matching help?
On a scale from weakest to strongest, a mobile push notification with number matching was ranked the most secure out of our available methods.

Figure 1 Cybersecurity and infrastructure security agency MFA hierarchy
This combats MFA fatigue as you need to be in front of the login screen to approve a prompt. There’s no way for you to accidentally approve something and put your data at risk. It also generates a new set of numbers for each prompt so bombarding you would be ineffective.
What can I do to stay safe?
Use an authentication app
Number matching push notifications are the most secure authentication method, so if you are still using phone calls, please consider downloading the relevant smartphone app.
Follow password best practice
To get to the point of an MFA fatigue attack, a hacker will need to know your password. This is easier for them if you respond to phishing emails, enter details into fraudulent websites, re-use your password across different online services, or have a password that is weak and easy to guess.
Report fraudulent MFA prompts
If you ever receive a login prompt while you are away from your computer and know you didn’t generate it, tell the IT Service Desk immediately in case your account has been compromised.