MFA has shown in the past that its is exploitable. In August of 2022, Microsoft email users, even those with MFA on, were falling to a new phishing attack. Only a couple of weeks later, there were reports of hackers bypassing MFA and brute forcing passwords. Then there's also MFA fatigue or MFA spamming or push bombing attacks, which bombards the user with MFA push notifications in hopes that a user accepts the request and gives access to a threat actor by mistake.
To combat such attacks, Microsoft introduced "number matching" as an additional step in its Microsoft Authenticator app to enhance the security provided by Multi-Factor Authentication (MFA) last year. And from today, May 8, 2023, the Redmond giant is enforcing number matching for all users. Hence, users will need to enter the number provided into their Authenticator app when signing in. Here's an example image provided by Microsoft:
The support article notes:
Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting May 8, 2023.
We highly recommend enabling number matching in the near term for improved sign-in security. Relevant services will begin deploying these changes after May 8, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance.
You can find more details about Number Matching on Microsoft's official website.
5 Comments - Add comment