Microsoft has introduced changes to its Authenticator app to enhance security and protect against multi-factor authentication (MFA) fatigue attacks. The update requires users to input a two-digit code shown on their primary device, in addition to receiving a push notification on their secondary device, before accepting a login attempt. This ensures that users actively engage with the login screen and cannot blindly verify login attempts due to being overwhelmed or fatigued by frequent requests.
MFA fatigue attacks aim to exploit users’ tendencies to mindlessly approve login attempts when bombarded with them, either out of frustration or by mistake, after their initial login credentials have been compromised. These attacks have proven successful in infiltrating large organizations, including Microsoft itself.
Microsoft clarified on its Learn website that number matching is a crucial security enhancement for traditional second-factor notifications in the Authenticator app. The company plans to enforce this feature across its user base starting from May 8, 2023, removing the administrative controls associated with it. While some services will automatically adopt number matching, others may not. However, Microsoft allows users to manually enable the feature by navigating to the Azure portal and adjusting the settings under Security > Authentication methods > Microsoft Authenticator.
Users can choose the target audience for the new feature by specifying the authentication mode and enabling number matching for push notifications. Microsoft also provides guidance on leveraging Graph APIs to enable number matching for specific user groups.
It is important to note that the default sign-in method will remain unchanged if users have a different default authentication method set. Only users with Microsoft Authenticator as their default method, and falling within specific policy criteria, will experience the number matching approval process after May 8, 2023.
To further strengthen security against MFA fatigue attacks, organizations can implement additional measures, such as restricting the number of authentication requests, notifying administrators or locking accounts if the allowed limit is exceeded.
Microsoft’s updates to the Authenticator app reflect its commitment to enhancing security measures and safeguarding user accounts from evolving cyber threats. By requiring active engagement and user verification during login attempts, the company aims to mitigate the risks associated with MFA fatigue attacks and protect sensitive information.
