Microsoft has changed the way its authenticator app works, in an effort to make it more secure by preventing multi-factor authentication (MFA) fatigue attacks.
When receiving a push notification from Microsoft Authenticator on their secondary device, such as a smartphone, to verify a login attempt, users will now have to input a two digit code shown on the primary device. This means that they cannot accept a login attempt unless they can actually see the login screen.
In MFA attacks, the hope is that users blindly verify login attempts after being bombarded with them, just to make them stop or by mistake after being worn down. This method has been quite successful in penetrating large corporations – including Microsoft itself – once hackers have stolen a worker’s initial login credentials.
Rolling out now
On the company’s Learn (opens in new tab) website, Microsoft explained that, “Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting May 8, 2023.”
It also said that various services will be being employing this new change, and that some services may see number matching and others won’t. But before Microsoft removes the admin controls, users can manually make the switch by navigating to Security > Authentication methods > Microsoft Authenticator in the Azure portal.
Then, under Enable and Target, you can choose which users it will apply to, by setting the Authentication mode to Any or Push. Under the Configure tab, you’ll see Require number matching for push notifications. Change the status to Enable and choose who it applies to, then click save.
Microsoft also explains how you can use Graph APIs to enable the new number matching feature for certain groups.
The company also noted that, “If the user has a different default authentication method, there won’t be any change to their default sign-in.”
“If the default method is Microsoft Authenticator and the user is specified in either of the following policies, they’ll start to receive number matching approval after May 8th, 2023.”
Further security measures can be take to prevent MFA fatigue attacks by restricting the number of authentication requests (opens in new tab), alerting admins or locking accounts if that number is exceeded.