When receiving a push notification from Microsoft Authenticator on their secondary device, such as a smartphone, to verify a login attempt, users will now have to input a two digit code shown on the primary device. This means that they cannot accept a login attempt unless they can actually see the login screen.
In MFA attacks, the hope is that users blindly verify login attempts after being bombarded with them, just to make them stop or by mistake after being worn down. This method has been quite successful in penetrating large corporations - including Microsoft itself - once hackers have stolen a worker's initial login credentials.
Rolling out now
On the company's Learn website, Microsoft explained that, "Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting May 8, 2023."
It also said that various services will be being employing this new change, and that some services may see number matching and others won't. But before Microsoft removes the admin controls, users can manually make the switch by navigating to Security > Authentication methods > Microsoft Authenticator in the Azure portal.
Then, under Enable and Target, you can choose which users it will apply to, by setting the Authentication mode to Any or Push. Under the Configure tab, you'll see Require number matching for push notifications. Change the status to Enable and choose who it applies to, then click save.
Microsoft also explains how you can use Graph APIs to enable the new number matching feature for certain groups.
The company also noted that, "If the user has a different default authentication method, there won't be any change to their default sign-in."
"If the default method is Microsoft Authenticator and the user is specified in either of the following policies, they'll start to receive number matching approval after May 8th, 2023."
Further security measures can be take to prevent MFA fatigue attacks by restricting the number of authentication requests, alerting admins or locking accounts if that number is exceeded.
- Consider using the best security keys to make 2FA even more secure
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers.
His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.
He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.