“Microsoft Authenticator Enhances Security Measures with Number Matching Feature”

Microsoft Enhances Security of MFA with “Number Matching” Feature

Multi-factor authentication (MFA) is an essential security measure in identity and access management, but it is not infallible against attackers who use social engineering to bypass MFA controls. As a way to enhance the security of MFA, Microsoft is enforcing “number matching” for all users of its Microsoft Authenticator app.

Previously, the process flow for Microsoft Authenticator just displayed a prompt in the app when the user tried to log into an application. The user tapped the prompt on the secondary device to authorize the transaction. Number matching adds another step by forcing users to have the secondary device and see the login screen on the primary device. Instead of just tapping the prompt, users will now have to enter a number that is displayed on the application’s login screen.

Number matching was originally introduced in Microsoft Authenticator as an optional feature in October 2022 after attackers started spamming users with MFA push notification requests. Users were granting access to the attackers just to get the spam notifications to stop, or by mistake.

Additional Security Measures

Number matching will be used for actions such as passreplace resets, registration, and access to Active Directory. Users will also see additional context, such as the name of the application and the location of the login attempt, to prevent accidental approvals. The idea is that users have to cannot accept a login attempt if they are not in front of the login screen at that time.

While number matching was enabled by default for Microsoft Azure in February, administrators can enable the setting by navigating to Security – Authentication methods – Microsoft Authenticator in the Azure portal. On the Enable and Target tab, click Yes and All users to enable the policy for everyone or add selected users and groups. Administrators can also limit the number of MFA authentication request allowed per user and lock the accounts or alert the security team when the number is exceeded.

Users should upgrade to the latest version of Microsoft Authenticator on their mobile devices. However, number matching does not work for wearables such as Apple Watch or other Android devices. Users will have to key in the number via the mobile device, instead.

MFA Fatigue is a Growing Concern

MFA fatigue, or overwhelming users with MFA push notification requests, has become more prevalent, according to Microsoft, who observed almost 41,000 Azure Active Directory Protection sessions with multiple failed MFA attempts in August 2022, compared with 32,442 a year earlier. There were 382,000 attacks employing this tactic in 2022, Microsoft said. It was also recently used in attacks against Uber, Microsoft, and Okta.

Conclusion

The new number matching feature for Microsoft Authenticator is a significant security upgrade that adds an extra layer of protection against attackers who use social engineering tactics to bypass MFA controls. Microsoft‘s enforcement of this feature for all users is an essential step to prevent MFA fatigue and limit the potential for false authentication attempts. However, users must ensure that they have the latest version of the Microsoft Authenticator app and that the number matching feature is enabled for the devices and services they use.

While this is a welcome development, it is important to remember that cybersecurity is not a one-size-fits-all approach. Companies should encourage their employees to undertake cybersecurity training, adopt a “zero trust” approach, and ensure they have the latest security measures in place.