Microsoft is rolling out a new security feature that will change the way Microsoft 365 subscribers verify their identities.
Starting February 27, 2023, Microsoft will be implementing some changes to increase the security of Multi Factor Authentication (MFA) push notifications by using “Number Matching.” Number matching is a setting that forces the user to enter numbers from the identity platform into their app to approve the authentication request.
What is Number Matching?
Number matching is a setting that forces the user to enter numbers from the identity platform into their app to approve the authentication request.
Why is Microsoft making this change?
In short, cybercriminals have discovered loopholes to bypass traditional MFA checks, so Microsoft is making this change to solely due to security concerns.
The long version goes like this. In September 2022, Microsoft warned about the rise in “MFA fatigue attacks,” a technique also known as an “MFA push spam,” which occurs when hackers run scripts that attempt to login repeatedly with stolen credentials. This results in thousands of MFA push requests sent to the victims mobile device. In many cases, the targeted users are so overwhelmed that they click the “Approve” button to end the flood of notifications.
How does Number Matching mitigate MFA Fatigue?
According to the CSA, requiring access to the login screen (versus a mobile device) to approve requests. Users cannot approve requests without entering the numbers on the login screen.
Also, it discourages prompt spam because each prompt generates a unique set of numbers for every login request. As the user cannot accept the prompts without knowing the numbers, generating multiple prompts is not effective.
What does Microsoft Authenticator Number Matching look like?
The pictures below show the user’s view of an identity platform login screen that uses number matching.
I’m a Microsoft 365 subscriber, do I need to do anything to prepare?
Microsoft recommends that users update their Authenticator app to the latest version of the app. For iPhone users, this automatically updates. For Android users, you may need to check to ensure your settings allow for automatic updates. To read Microsoft’s full summary of how users should be prepared, click here.
Does this only apply to Microsoft Authenticator? What if I use a different authentication method?
If you have a different default authentication method, there won’t be any changes to the default sign-in. According to Microsoft, the default method is Microsoft Authenticator and they are members of groups targeted for Push or Any on the Enable and Target tab, they’ll start to receive number matching approval on February 27th, 2023.
Will I still be able to use my Apple Watch Microsoft Authenticator app?
Microsoft Authenticator will no longer work on Apple Watch. This is because watchOS will no longer be compatible with Authenticator security features.