Identity, Application security

Microsoft enables number matching for all Authenticator push notifications

Share
Microsoft Authenticator app icon on a smartphone

Microsoft enabled number matching for all Authenticator push notifications for relevant services to users worldwide on May 8.

When a user requests multi-factor authentication, Microsoft will present the user a number via the mobile application to use to complete the approval process. 

Number matching with Authenticator will come into play for services such as password resets, combined registration, and AD FS adapter for supported versions of Windows Server. Number matching does not work for Apple Watch or wearable Android products, so users will have to use a mobile app to enter the number.

Microsoft announced in February that number matching via Authenticator was enabled by default for Microsoft Azure and would begin enforcing it in May.

In its February announcement, Microsoft said it was enabling number matching to make Authenticator more secure, especially against MFA fatigue attacks

Such attacks are social-engineering techniques bad actors adopt to gain access to someone’s account by bombarding a user with push notifications to their mobile device until the user approves the request by accident or out of annoyance with the frequency of notifications, according to an overview of number matching by the U.S. Cybersecurity and Infrastructure Agency. For the technique to work, which is also known as “push bombing,” threat actors must have the user’s password.phishing-resistant MFA, it is one of the best interim mitigation for organizations who may not immediately be able to implement phishing-resistant MFA. 

MFA fatigue and other attacks by bypassing multi-factor authentication has been successful in attacks against Uber, Microsoft and Okta.

An In-Depth Guide to Identity

Get essential knowledge and practical strategies to fortify your identity security.
Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.