News

Microsoft Authenticator Features Can Address 'MFA Fatigue Attacks'

• By Kurt Mackie
• 09/29/2022

Microsoft is urging organizations using the Microsoft Authenticator app to activate additional security functionality to protect against possible "multifactor authentication fatigue attacks," according to a Wednesday announcement.

The Microsoft Authenticator app is used to add two-factor identity verification to Android and iOS devices, such as requiring a password and a personal identification number (PIN) to gain access to apps and resources. To meet the current threat landscape, organizations should turn on the number matching and additional context features for Microsoft Authenticator.

Additionally, organizations also should automate password changes for at-risk users, Microsoft advised. However, this latter option depends on organizations having certain Azure Active Directory licensing.

"Depending on your Azure AD licensing, you can configure risk-based Conditional Access policies to automatically prompt such users to change their password the next time they sign in," explained Alex Weinert, director of identity security at Microsoft, in the announcement.

Previews of the number matching and additional context features were released back in November, and they are still at that release stage. Microsoft is planning to require number matching for use with the Microsoft Authenticator app when the number matching feature reaches the "general availability" commercial-release stage. That general availability date, though, wasn't described.

Number matching, even at preview, is currently being used daily by "almost 10K enterprises," Weinert noted.

A multifactor authentication (MFA) fatigue attack is a way for an external attacker to gain network access after having gained a user's password. The attacker may be blocked from network access in using that password because of two-factor authentication protection. However, it's possible to repeat the access attempts to bug the victim into finally assenting. At that point, the attacker gets access.

These repeated notifications arrive via MFA applications, explained managed security service provider GoSecure, in this February blog post about Office 365 attacks. GoSecure labeled this attack method as "push notification spamming."

Microsoft's phrase for these approval screens that get seen by end users is "simple approvals." Users are presented with an approval screen, and small number of them will always just click them, per Microsoft's research. Microsoft wants organizations to use the number matching and additional context features to add safeguards against such user actions.

Here's how Microsoft characterized the problem:

Our studies show that about 1% of users will accept a simple approval request on the first try. That's why it's critical to ensure that users must enter information from the login screen and that they have more context and protection. We track these attacks across our ecosystem, and it's very clear they are on the rise -- with push notifications, voice approvals and SMS as the top culprits.

With the number matching feature turned on, users must enter a two-digit number to approve the access request.

"If the user didn't initiate the sign-in, they won't know the two-digit code, thereby requiring the bad actor to share the two-digit code in a separate channel, which the user shouldn't accept," Weinert explained.

The additional context feature adds protections by showing the app used for the request and the location of the access requester's IP address, which is accompanied by a map image.

The number matching and additional context features for the Microsoft Authenticator app "will soon be GA," Weinert stated, without offering any specifics. He also promised that more enhancements will be coming later to bolster the Microsoft Authenticator app.