Subscribe to the Non-Human & AI Identity Journal

What do security teams get wrong about number matching?

They often treat it as a complete fix when it is really a partial mitigation. Number matching blocks some blind approvals, but it does not stop unlimited challenge generation, social engineering, or poor session design. It should be used as one layer in a broader push authentication control model.

Why This Matters for Security Teams

number matching is often adopted as if it were a complete defence against MFA fatigue, but that framing is too narrow. It can reduce blind approvals, yet it does not remove the underlying problem of repeated prompts, user manipulation, or weak session design. Security teams also overestimate what a single control can do when the real issue is the authentication flow, not just the prompt itself. NIST’s NIST Cybersecurity Framework 2.0 emphasises layered risk management, not isolated controls.

This matters because attackers do not need to defeat number matching if they can trigger enough challenges, pressure a user, or exploit a downstream session that stays valid after approval. In environments with poorly governed identities, that weakness is amplified by broader visibility gaps described in the Ultimate Guide to NHIs, where long-lived access and weak lifecycle control create easy paths for abuse. In practice, many security teams encounter abuse only after users begin approving repeated prompts under pressure, rather than through intentional testing of the authentication design.

How It Works in Practice

Number matching works by forcing the user to enter or confirm a displayed code before approving the push request. That removes some “tap yes” style attacks because the user must see the code and interact more deliberately. It is useful, but it should be treated as a friction layer inside a broader push authentication model, not as a standalone security boundary.

In practice, strong implementations pair number matching with rate limiting, device binding, conditional access, phishing-resistant factors, and alerting for abnormal prompt volume. Security teams should also examine the session that follows approval. If a successful push creates a long-lived session with broad access, the attacker only needs one coerced approval to move laterally. The control is strongest when authentication is joined to policy decisions, risk signals, and short session lifetimes, rather than treated as a one-time gate.

That is why current guidance suggests viewing it as one step in a broader authentication redesign. The State of Non-Human Identity Security shows how confidence often lags behind reality, which is a useful warning for human authentication as well: controls that appear reassuring on paper can fail under real operational pressure. Teams also benefit from aligning these decisions with the NIST Cybersecurity Framework 2.0 so that detection, response, and access governance reinforce the same outcome. These controls tend to break down when users are repeatedly prompted during high-friction workflows because fatigue and urgency override the intended verification step.

Common Variations and Edge Cases

Tighter authentication often increases user friction, requiring organisations to balance stronger verification against login fatigue and support burden. That tradeoff becomes sharper in help desks, break-glass access, and shift-based operations where users need rapid entry and may ignore repeated challenges if the process feels disruptive.

There is no universal standard for this yet, but best practice is evolving toward adaptive controls. For some environments, number matching is acceptable as part of a broader MFA stack. For others, especially where attackers can replay prompts or exploit weak session handling, phishing-resistant methods such as hardware-backed authenticators are a better fit. Teams should also watch for abuse patterns that number matching does not address: unlimited prompt generation, social engineering over voice or chat, and session hijacking after approval.

The broader lesson is that authentication design has to assume active adversaries, not cooperative users. NHI security research from Ultimate Guide to NHIs shows how privilege and lifecycle failures compound over time, and the same logic applies here: one partial mitigation rarely closes the full attack path. Organisations that treat number matching as the finish line usually discover its limits only after a prompt bomb or social-engineering campaign has already succeeded.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10, CSA MAESTRO and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 Number matching fails when attackers abuse prompt flow, a control-gap pattern OWASP highlights.
CSA MAESTRO Agentic access models stress runtime trust decisions, similar to push-auth weaknesses.
NIST AI RMF AIRMF supports layered risk controls and monitoring instead of one-factor confidence.
NIST CSF 2.0 PR.AC-7 Authentication strength must be paired with session and access governance.
OWASP Non-Human Identity Top 10 NHI lifecycle failures mirror the same overconfidence seen in partial MFA fixes.

Assess authentication as a risk process with monitoring, response, and continuous improvement.