Microsoft Releases System-Preferred Multifactor Authentication -- Redmondmag.com

Microsoft Releases System-Preferred Multifactor Authentication

By Kurt Mackie
05/16/2023

Microsoft on Tuesday announced the commercial release ("general availability") of system-preferred multifactor authentication (MFA).

System-preferred MFA will suggest using the most secure authentication methods that are available to end users. For instance, if users can secondarily affirm their identities by either answering an automated phone call or using the Microsoft Authenticator app with number confirmation, then end users will be prompted to choose the latter option.

The number matching scheme in Microsoft Authenticator is designed to avoid so-called "MFA fatigue," which can happen when an attacker, knowing a person's password, bombards the victim with MFA confirmation requests until they OK it, defeating the secondary authentication protection method. Last year, Microsoft indicated that it would make number matching the default for all Microsoft Authenticator users after Feb. 27, 2023.

Users continue to have MFA authentication options when system-preferred MFA is turned on.

"The user can still choose to sign in by using another method, but they're first prompted to try the most secure method they registered," Microsoft explained in this document.

Microsoft considers system-preferred MFA to be a "key security upgrade to traditional second factor notifications," and recommends that organizations enable it. System-preferred MFA will eventually become a default for organizations, but the timing is still kind of murky.

While system-preferred MFA is now at general availability, it was first introduced at the disabled state back in April, according to Microsoft's announcement. Microsoft will turn on system-preferred MFA at some point for all organizations and is planning to notify them on the timeline sometime in June.

Organizations can also enable system-preferred MFA now, which is what Microsoft is recommending. Microsoft's document described how to enable it via either the Azure Portal or via Graph APIs.

The document included an odd caveat for organizations wanting to enable system-preferred MFA. It currently may have "an issue" with FIDO2 security keys on mobile devices and certificate-based authentication, which are two superior MFA schemes.

The system-preferred MFA dynamically ascertains the most secure authentication method, and it'll be "updated as the security landscape changes," the document explained. The top MFA methods, per the document, include:

There's no effect on the preferred authentication methods offered to end users when system-preferred MFA gets used with Active Directory Federation Services or the Network Policy Server extension, the document noted.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Multi-Tenant Organization Hooks Released for Microsoft 365

Microsoft Entra ID's new multi-tenant organization capabilities have reached general availability (GA).
Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.