Microsoft has changed the way its authenticator app works in an effort to make it more secure by preventing multi-factor authentication (MFA) fatigue attacks.
After receiving a push notification from Microsoft Authenticator on their secondary device, such as a smartphone, users will now need to enter the two-digit code displayed on the primary device to verify the login attempt. This means that they cannot accept the login attempt unless they actually see the login screen.
With MFA attacks, the hope is that users blindly validate login attempts after being bombarded with them, only to stop them or mistakenly after they’ve been consumed. This method proved to be quite effective in penetrating large corporations – including Microsoft itself – after hackers stole an employee’s initial login details.
Now it’s developing
On the company To learn Microsoft explained that “Number matching is a key security update over traditional second factor notifications in Microsoft Authenticator. We will remove admin controls and enforce tenant-wide number matching for all Microsoft Authenticator push notification users starting May 8, 2023.”
It has also been stated that various services will use this new change and that some services may see the number match while others may not. But before Microsoft removes admin control, users can manually make the change by going to Security > Authentication methods > Microsoft Authenticator in the Azure portal.
Then under Enable and Purpose, you can choose which users it will apply to by setting the authentication mode to Any or Push. On the Configure tab, you’ll see the option Require number matching for push notifications. Change the status to Enabled and select who it applies to, then click Save.
Microsoft also explains how you can use the Graph APIs to enable the new number matching feature for specific groups.
The company also noted that “If a user has a different default authentication method, there will be no change to their default login.”
“If the default method is Microsoft Authenticator and a user is specified in one of the policies below, they will start receiving number matching approval after May 8, 2023.”
Further security measures can be taken to prevent MFA fatigue attacks limiting the number of authentication requestswarning administrators or blocking accounts if this number is exceeded.