Microsoft has announced the enforcement of “number matching” for all users of its Microsoft Authenticator app as part of its efforts to enhance the security of multifactor authentication (MFA). MFA is an essential element of identity and access management, but it is not fail-proof, especially as attackers increasingly employ social-engineering tactics to bypass MFA controls. The new feature adds another layer of security by forcing users to see the login screen on the primary device and enter a number displayed on the login screen in the Authenticator app on their secondary device to approve the transaction. Therefore, users cannot accept a login attempt if they are not in front of the login screen at that time.
Previously, the process flow for Microsoft Authenticator displayed a prompt in the app when the user tried to log in. The user tapped the prompt on the secondary device to authorize the transaction. However, attackers started spamming users with MFA push notification requests, and users were granting access to the attackers just to get the spam notifications to stop or by mistake. Number matching is designed to help users avoid accidentally approving false authentication attempts. MFA fatigue, which is overwhelming users with MFA push notifications requests, has become more prevalent, according to Microsoft. To combat this, Microsoft introduced number matching as an optional feature in Microsoft Authenticator in October but decided to enforce it for all users of Microsoft Authenticator push notifications starting May 8, 2023.
Number matching with Authenticator will be used for actions such as password resets, registration, and access to Active Directory. Users will also see additional context, such as the name of the application and the location of the login attempt, to prevent accidental approvals. The idea is that users cannot accept a login attempt if they are not in front of the login screen at that time.
Number matching does not work for wearables, such as Apple Watch, or other Android devices. Rather, users will have to key in the number via the mobile device. Thus, administrators should remind users to upgrade to the latest version of Microsoft Authenticator on their mobile devices.
Microsoft observed almost 41,000 Azure Active Directory Protection sessions with multiple failed MFA attempts last August, compared with 32,442 in 2021. Last year, 382,000 attacks employed this tactic, Microsoft said. Number matching will help to prevent such attacks and enhance the security of MFA. It was also recently used in attacks against Uber, Microsoft, and Okta.
While number matching is enabled by default for Microsoft Azure, users will see some services start using this feature before others. Microsoft recommends enabling number matching in advance to “ensure consistent behavior.” Administrators can enable the setting by navigating to Security – Authentication methods – Microsoft Authenticator in the Azure portal. On the Enable and Target tab, they can click Yes and All users to enable the policy for everyone or add selected users and groups. The Authentication mode for these users and groups should be either Any or Push. Then, on the Configure tab for Require number matching for push notifications, administrators can change Status to Enabled, choose who to include or exclude from number matching, and click Save. Administrators can also limit the number of MFA authentication requests allowed per user and lock the accounts or alert the security team when the number is exceeded.
In conclusion, number matching enhances MFA security, and Microsoft’s move to enforce it for all users of its Microsoft Authenticator app shows its commitment to data protection and cybersecurity. As attackers become more sophisticated in their tactics, users and organizations must adopt proactive security measures to combat cybersecurity threats.