Microsoft Authenticator is now enforcing number matching

Microsoft Authenticator has introduced number matching to its app, in an attempt to crack down on MFA fatigue attacks.

Number matching adds an extra layer of security to the login process by requiring you to input a digital code when verifying your account, and will now become the default for everyone using the app.

Starting this week, the extra layer of verification has been enabled for all Authenticator push notifications. This means that when verifying your identity, you’ll need to transfer a two-digit code from your secondary to your primary device, preventing login authentication attempts by mistake.

 


If you use a different default authentication method like txt message or phone call, there won't be any change.  If you have Authenticator set as your default, you'll now see the number matching.

Microsoft isn't the only company to bolster its security with number matching. Cybersecurity agencies recommend that all organizations enable the safeguards to prevent MFA fatigue.

 

What exactly is MFA fatigue, and how has it become one of the top cyber concerns for businesses in 2023?

MFA fatigue is a relatively new social engineering strategy that's been deployed by cybercriminals a lot in recent years.

Also known as “MFA spamming” and “MFA bombing,” the action exploits MFA solutions by overwhelming users with a string of requests for sign-in approval, with the ultimate aim of gaining access to the individual's network.

While this technique may seem easy to dismiss, attempts can seem convincing, with hackers also sending out emails posing as IT support in many cases to make these requests seem more valid.

 

Due to the simplicity and high success rate of the attack, the practice has been growing more widespread year after year, with Microsoft attributing 382 000 attacks to MFA fatigue in 2022 alone.

It's not just catching small fish either, with the technique being involved with a series of attacks on large corporations with dedicated security teams like Uber, Microsoft, and Cisco.

Currently, number matching is one of the most effective ways to crack down on MFA fatigue.  The measure helps MFA and 2FA — already two of the most secure authentication methods — become even more safe.

If you want to add extra authentication methods or change your default method, you can update your security info here.

 

Microsoft Rolls Out Number Matching to Bypass MFA Fatigue (tech.co)


Published on 10 May 2023

Orderdate: 10 May 2023
Expiry: 17 May 2025