Multifactor authentication (MFA) is an essential element of identity and access management, but it is not fail-proof, especially as attackers increasingly employ social-engineering tactics to bypass MFA controls. To enhance the security of MFA, Microsoft is enforcing "number matching" for all users of its Microsoft Authenticator app.
Previously, the process flow for Microsoft Authenticator displayed a prompt in the app when the user tried to log in. The user tapped the prompt on the secondary device to authorize the transaction. Number matching adds another step by forcing users to have the secondary device and see the login screen on the primary device. Instead of just tapping the prompt, users will now have to enter a number that is displayed on the application's login screen. A person logging into Office 365, for example, would see a message on the original login screen with a numeric code. The person would enter that code into the Authenticator app on their secondary device to approve the transaction. There is no way to opt out of entering the code.
"Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator," Microsoft said in a supporting article. "We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting May 8, 2023."
Attacks Are More Prevalent
Number matching was originally introduced in Microsoft Authenticator as an optional feature in October, after attackers started spamming users with MFA push notification requests. Users were granting access to the attackers just to get the spam notifications to stop or by mistake. Number matching is designed to help users avoid accidentally approving false authentication attempts. MFA fatigue – overwhelming users with MFA push notifications requests – has “become more prevalent,” according to Microsoft, which observed almost 41,000 Azure Active Directory Protection sessions with multiple failed MFA attempts last August, compared with 32,442 in 2021. Last year 382,000 attacks employed this tactic, Microsoft said.
It was also recently used in attacks against Uber, Microsoft, and Okta.
Number matching with Authenticator will be used for actions such as password resets, registration, and access to Active Directory. Users will also see additional context, such as the name of the application and the location of the login attempt, to prevent accidental approvals. The idea is that users cannot accept a login attempt if they are not in front of the login screen at that time.
How to Enable Number Matching
While number matching was enabled by default for Microsoft Azure in February, users will see some services start using this feature before others. Microsoft recommends enabling number matching in advance to "ensure consistent behavior." Administrators can enable the setting by navigating to Security - Authentication methods - Microsoft Authenticator in the Azure portal.
- On the Enable and Target tab, click Yes and All users to enable the policy for everyone or add selected users and groups. The Authentication mode for these users and groups should be either Any or Push.
- On the Configure tab for Require number matching for push notifications, change Status to Enabled, choose who to include or exclude from number matching, and click Save.
Administrators can also limit the number of MFA authentication requests allowed per user and lock the accounts or alert the security team when the number is exceeded.
Users should upgrade to the latest version of Microsoft Authenticator on their mobile devices. Number matching does not work for wearables, such as Apple Watch, or other Android devices. Rather, users will have to key in the number via the mobile device.