Commencing 27 February, Microsoft has started rolling out changes that will impact your user experience if you are using Microsoft Authenticator.
Chill IT has provided the following information so you can advise and educate your team so when the change happens it does not cause surprise or confusion.
Why is this change happening?
MFA is one of the most secure methods to verify your identity when logging into your systems or data. MFA is also becoming mandatory for many cyber-security insurance policies. However, Cyber criminals are smart and are taking advantage of the increasing number of MFA push notifications that people receive (the notifications which are sent through Authenticator apps to users for verification). Cyber criminals are using “MFA Fatigue attacks” to pester people into accepting an invalid or bogus prompt. They are looking for a momentary lapse of attention for the user to verify an invalid prompt. Some recent major attacks (Uber is one of the victims) have occurred due to this.
See this YouTube: https://youtu.be/wHhbWUXx95U to see an example of how a user can be tricked and pestered into accepting an invalid prompt.
This change will allow users to recognise/identify if the notification and if it is a trusted authentication request.
What is the change?
Microsoft will be enforcing a “Number Matching” feature which will be rolled out automatically starting 27th February 2023 for those using Microsoft Authenticator. It will allow users to see a predefined number (which is shown on their device) before they verify the MFA request on their phone.
This process will replace the simple “accept” or “reject” prompt which is currently provided. The MFA number matching process is shown below.
Chill IT highly recommend that you communicate this to your team so they understand the upcoming changes.
MFA Number Matching Process
The MFA number matching process will work as follows;
- User signs into a Microsoft 365 service using their username & password on their device.
- The user receives a randomly generated number on their device.
- Microsoft Authenticator on the phone will provide a prompt advising to enter the number as shown on the device.
- After the correct number (in this case 83) is entered, you will be successfully signed in.
Please note: Microsoft Authenticator have stopped support for Apple Watch users who are verifying against watchOS due to being incompatible with Authenticator security features.
If you are interested in conducting a security review for your business or of you have any concerns or queries in relation to MFA number matching, please reach out to us on firstname.lastname@example.org