Require number matching for Mobile Authenticator

This topic describes how to enable your users to use number matching for mobile devices.

Beginning with the 22.10 release, you can mitigate security risks due to user MFA push fatigue by requiring users to match one of the three two-digit numbers displayed on the Mobile Authenticator to a number displayed on the sign-in page to unlock the Mobile Authenticator.

This mechanism requires users to have CyberArk Identity mobile app installed on an enrolled device.

To enable this feature, go to Endpoint Policies > Common Settings > Mobile Settings > Security Settings > Require number matching for mobile authenticator to prevent accidental approvals and select Yes.

Number matching is only supported for signing in to Identity Administration.

It is not supported for other authentication types such as endpoint authentication on enrolled Windows/macOS devices or on Privilege Cloud connections to Linux/Unix machines (PSM for SSH).

Number matching is not supported if the sign-in request comes from the enrolled device.