Spam attack-combating feature added to Microsoft Authenticator

ZDNET reports that the Microsoft Authenticator multi-factor authentication app has been updated to include "number matching" in push notifications in a bid to better avert push notification spam-based MFA attacks. Such a feature would require inputting the number on the sign-on screen for MFA request approval, compared with the old process of clicking "approve" alone. Number matching in Authenticator could already be activated by admins, who could also curb accidental MFA approvals through the inclusion of location and application context in Authenticator configurations. However, the feature will be on by default by February 2023, said Microsoft Vice President Director of Identity Security Alex Weinert. Number matching configuration instructions have also been given by Microsoft, which also noted that Apple Watch notifications do not support the new number matching feature. In addition, controls initially given to admins will be removed once the feature becomes default. Microsoft has also begun using App Transport Security for Authenticator on iOS.