Microsoft Authenticator will now enforce number matching for all push notifications to make multi-factor authentication (MFA) less susceptible to social engineering attacks.
High-profile cyber criminals have seen success exploiting MFA fatigue attacks. These involve sending a barrage of MFA push notification requests to organizations’ staff, often at unsociable hours, to manipulate them into authenticating a login attempt just to clear the frustrating notifications.
Number matching involves opening a push notification, launching Microsoft Authenticator, and entering a series of numbers that appear in the app in order to approve the login attempt.
The technique has been around for years and marries the authentication methods of MFA and two-factor authentication (2FA).
These numbers usually reset after a given time period, like 30 seconds, and add an additional layer of interaction to help reduce the risk of successful social engineering attacks.
In a typical attack scenario, recipients of the constant notifications are often asleep and wake up to a series of loud alerts from their smartphone.
Half asleep, the attack can see success when staff simply approve login attempts so they can get back to sleep, for example.
Adding another manual layer increases the difficulty in quickly approving requests, making the process more manual and potentially allowing more time for the recipient to realize that the event is being triggered by a bad actor.
“As relevant services deploy, users worldwide who are enabled for Authenticator push notifications will begin to see number matching in their approval requests,” said Microsoft in its Active Directory (AD) documentation.
“Users can be enabled for Authenticator push notifications either in the Authentication methods policy or the legacy multifactor authentication policy if Notifications through mobile app is enabled.”
Microsoft said number matching will be applied as standard to a number of different authentication scenarios.
Why MFA, why now?
A discussion with Okta and Salesforce on the new MFA requirement
Users attempting a self-service password reset (SSR) will also have to use MFA number matching to complete the process.
Number matching will also be enforced for combined registration in Azure AD and the AD FS adapter for Windows Server.
Microsoft clarified that users cannot opt out of number matching, but there may be some scenarios that don’t enforce it, such as in MFA Server, which is deprecated, and with old versions of Authenticator which will no longer work, requiring an update.
The AD portal may also still show the setting to enable number matching manually, but Microsoft said that you may just need to refresh the browser in order to see the update.
