Microsoft Authenticator Number Matching Security Feature Released and Coming by Default Next Year
The Microsoft Authenticator app now has a number-matching security feature at the "general availability" (GA) commercial release stage, Microsoft announced on Tuesday.
Additionally, Microsoft improved Microsoft Authenticator management via new "Admin UX and Admin APIs," which are also at GA. As part of those management features, IT pros are getting the "highly requested capability to exclude groups from features to assist with smoother feature rollouts," the announcement indicated.
The number-matching feature will be become the default for all organizations using Microsoft Authenticator after "February 27, 2023," according to a Microsoft FAQ section on the topic.
Organizations can opt out from using number matching if the opt-out should get set before that date. However, when number matching becomes the default, "users can't opt out of number matching in Microsoft Authenticator push notifications," the FAQ clarified.
The Microsoft Authenticator app offers a two-factor authentication scheme for mobile device users. Typically, the secondary verification happens via SMS push notifications or automated phone call verifications. However, the number-matching security protection won't be available on Apple Watch devices. "We recommend you uninstall the Microsoft Authenticator Apple Watch app because you have to approve notifications on your phone," Microsoft's FAQ indicated.
The number-matching feature is a safeguard against "accidental approvals" by users, as well as "MFA fatigue" attacks.
Microsoft has found that about one percent of users will always click on something, such as a push notification. These people are the so-called accidental approval users.
MFA fatigue, on the other hand, is a tactic by attackers after they've obtained a user's password. The attackers are still blocked by the secondary authentication method, so they just send second-factor authentication approval requests repeatedly to the victim until one of them gets used. The number-matching security feature somewhat defeats MFA fatigue attacks by making the end user explicitly enter a two-digit number to approve the access request.
Another safeguard offered on the Microsoft Authenticator app is the "additional context" feature. With additional context enabled, the app requesting the sign-in credentials is identified, as well as the location of the requester. This security feature is apparently already at the GA stage. Microsoft released a "GPS Location" capability to Microsoft Authenticator back in November, which perhaps is the same feature.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.