Microsoft is now enforcing changes to increase the security of Multi-Factor Authentication (MFA) push notifications. This is called Authenticator Number Matching for MFA.
What is Number matching for MFA?
Number matching is a key security upgrade to traditional MFA notifications. The new process gives you an auto-generated number to type into your device. This provides additional context to the login and prevents MFA fatigue attacks.
What are MFA fatigue attacks?
Also known as “MFA push spam”. This occurs when hackers run scripts that attempt to login repeatedly with stolen credentials. This results in thousands of MFA push requests being sent to the victim’s mobile device. In many cases, the targeted victims are so overwhelmed that they click the “Approve” button to end the flood of notifications.
What does this mean for you?
If you use Microsoft Authenticator to sign into Office 365 and are prompted for MFA, you will see two numbers on your screen. You will need to type the numbers that are on your screen into the Authenticator app to complete the authentication process.
How can Number Matching can help?
This more secure method of authentication protects you from mistakenly tapping “Approve” on an MFA push notification and giving an attacker access to your account.
What needs to be done by you?
Be sure you are using a supported version of Microsoft Authenticator to sign-in. Older versions of Microsoft Authenticator will not support number matching and will not work. On Android devices, the minimum version required is 6.2006.4198. On iOS devices the minimum version is 6.4.12. Number matching is not supported for Apple Watch notifications. Apple watch users will need to use their phone to approve notifications when number matching is enabled. At this time there is no ETA on when this will happen.
- For information on MFA, visit cisa.gov/mfa
- Cybersecurity and Infrastructure Security Agency (CISA) - CISA Fact Sheets