Microsoft Releases System-Preferred Multifactor Authentication

Microsoft on Tuesday announced the commercial release ("general availability") of system-preferred multifactor authentication (MFA).

System-preferred MFA will suggest using the most secure authentication methods that are available to end users. For instance, if users can secondarily affirm their identities by either answering an automated phone call or using the Microsoft Authenticator app with number confirmation, then end users will be prompted to choose the latter option.

The number matching scheme in Microsoft Authenticator is designed to avoid so-called "MFA fatigue," which can happen when an attacker, knowing a person's password, bombards the victim with MFA confirmation requests until they OK it, defeating the secondary authentication protection method. Last year, Microsoft indicated that it would make number matching the default for all Microsoft Authenticator users after Feb. 27, 2023.

Users continue to have MFA authentication options when system-preferred MFA is turned on.

"The user can still choose to sign in by using another method, but they're first prompted to try the most secure method they registered," Microsoft explained in this document.

Microsoft considers system-preferred MFA to be a "key security upgrade to traditional second factor notifications," and recommends that organizations enable it. System-preferred MFA will eventually become a default for organizations, but the timing is still kind of murky.

While system-preferred MFA is now at general availability, it was first introduced at the disabled state back in April, according to Microsoft's announcement. Microsoft will turn on system-preferred MFA at some point for all organizations and is planning to notify them on the timeline sometime in June.

Organizations can also enable system-preferred MFA now, which is what Microsoft is recommending. Microsoft's document described how to enable it via either the Azure Portal or via Graph APIs.

The document included an odd caveat for organizations wanting to enable system-preferred MFA. It currently may have "an issue" with FIDO2 security keys on mobile devices and certificate-based authentication, which are two superior MFA schemes.

The system-preferred MFA dynamically ascertains the most secure authentication method, and it'll be "updated as the security landscape changes," the document explained. The top MFA methods, per the document, include:

  1. Temporary Access Pass
  2. Certificate-based authentication
  3. FIDO2 security key
  4. Microsoft Authenticator push notifications
  5. Time-based one-time password (TOTP)1
  6. Telephony2

There's no effect on the preferred authentication methods offered to end users when system-preferred MFA gets used with Active Directory Federation Services or the Network Policy Server extension, the document noted.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube