Third-party authentication apps, like Microsoft Authenticator, offer users a higher level of security than SMS or phone calls. But, as with all things cybersecurity-related, the tools that protect us must continue to evolve to stay ahead of bad actors. To bolster the security of push notifications, Microsoft announced new features to Authenticator’s two-factor authentication capabilities for mobile device users.
Most notably among the updates, number matching and additional context features will roll out to all organizations using Microsoft Authenticator to safeguard against MFA fatigue attacks.
What is an MFA Fatigue Attack and how to defend against it?
Microsoft has found that about one percent of users will accept a simple approval request on the first try.
MFA fatigue, also known as MFA spamming, is an increasingly common attack tactic. With the increased adoption of MFA, attackers who have already obtained a user’s password find their access blocked by secondary authentication. However, if a user can easily “click to approve,” instead of entering a code they see onscreen, attackers have found they are more likely to accidentally approve an authentication request. So, bad actors will send frequent requests until the user simply approves them.
By adding number matching and additional context security features, MS Authenticator requires the end user to engage more thoughtfully in the approval process. These new features ensure that users enter information from the login screen.
What are number matching and additional context enhancements?
When a user tries to sign in, their machine, or the screen they are signing in from, will present them with a two-digit number and prompt them to enter that number into the authenticator app on their mobile device to approve the sign-in attempt. The user is matching numbers on two separate devices in order to confirm their identity.
Additional context displays additional information in the push notifications including the location the log in is originating from and the name of the application the user is trying to access.
What should your organization do?
The good news is your organization shouldn’t need to do anything to take advantage of these enhancements. In February 2023, Microsoft will enable these new features by default. If you’re already using Microsoft Authenticator, you’ll automatically start to see the new MFA experience when signing in.
If you would like more detail about these changes, check out these Microsoft FAQs. GadellNet is here to help you protect your organization. If you need more information about cybersecurity best practices, please reach out to your Account Manager or contact firstname.lastname@example.org.