Microsoft has rolled out ‘number matching’ in push notifications for its multi-factor authentication (MFA) app Microsoft Authenticator.
The new advanced feature is generally available in Microsoft Authenticator and should help counter attacks on MFA that rely on push notification spam.
Researchers earlier this year spotted so-called ‘MFA fatigue attacks’ on Office 365 users, where attackers repeatedly trigger MFA push notifications while trying to log in to a victim’s account with an already compromised password. The attacker hopes at some point the victim is worn down or distracted enough by the notifications to accidentally approve the login attempt.
With number matching enabled, the Authenticator app requires the user to type in the number displayed on the sign-on screen when approving an MFA request rather than just hitting ‘approve’. This is going to be a handy feature for admins whose users have been caught out by this attack on MFA.
For now, admins can enable number matching in Authenticator, but Microsoft plans to make it the default for all Authenticator users in February 2023, according to Alex Weinert, Microsoft’s VP director of identity security.
Admins can also use configure Authenticator to use location context and application context to prevent accidental approvals.
Microsoft has published instructions for configuring number matching, which can be enabled by group or other filters, and notes that number matching isn’t supported on Apple Watch notifications. The admin roll out controls will be removed after number matching becomes the default for the Authenticator app.
Also, now Authenticator on iOS uses App Transport Security (ATS), a security feature Apple introduced in iOS 9 in 2015 to enforce secure connections over the internet. However, ATS needs to be enabled by app developers and researchers in 2019 found that 67% of 30,000 scanned apps had ATS completely disabled.