Number matching prompts to combat MFA fatigue attacks

Bethany Reid

Tuesday 31 January 2023

• Share this with Facebook
• Share this with Twitter
• Share this with Facebook Messenger
• Share this with Facebook Messenger
• Share this with LinkedIn
• Share this with WhatsApp
• Share this with Email

Last year, the Cybersecurity and Infrastructure Security Agency (CISA) published new guidance to raise awareness of a new threat, multi-factor authentication (MFA) fatigue, and how organisations can protect themselves through number matching. We’ll introduce number matching on:

• Microsoft Authenticator on Tuesday 7 February
• Duo Mobile on Tuesday 14 February

This blog details why the change has been introduced and how this affects students and staff at the University.

What is an MFA fatigue attack?

Since the move to homeworking and hybrid working, corporate and University emails have been a continuous target for cybercriminals. Despite the introduction of multi-factor authentication to add an additional layer of protection, hackers are using new techniques to bypass our cyber defences.

Once obtaining your password through a successful phishing attempt or password guessing, a cybercriminal will bombard you with hundreds of push notifications, text, or phone calls. They’ll continue to harass you with notifications until you accidentally hit approve by mistake.

How can number matching help?

On a scale from weakest to strongest, a mobile push notification with number matching was ranked the most secure out of our available methods.

Figure 1 Cybersecurity and infrastructure security agency MFA hierarchy

This combats MFA fatigue as you need to be in front of the login screen to approve a prompt. There’s no way for you to accidentally approve something and put your data at risk. It also generates a new set of numbers for each prompt so bombarding you would be ineffective.

What can I do to stay safe?

Use an authentication app

Number matching push notifications are the most secure authentication method, so if you are still using phone calls, please consider downloading the relevant smartphone app.

Follow password best practice

To get to the point of an MFA fatigue attack, a hacker will need to know your password. This is easier for them if you respond to phishing emails, enter details into fraudulent websites, re-use your password across different online services, or have a password that is weak and easy to guess.

Report fraudulent MFA prompts

If you ever receive a login prompt while you are away from your computer and know you didn’t generate it, tell the IT Service Desk immediately in case your account has been compromised.