Microsoft has announced that it will start enforcing number matching in its Microsoft Authenticator push notifications to prevent multi-factor authentication (MFA) fatigue attacks, which use social engineering tactics to flood users with repeated malicious push requests that allow cybercriminals to access their accounts.
These attacks have already been successful against high-profile organizations, including Microsoft, Cisco, and Uber.
Furthermore, to enable number matching, users can manually enable the policy for everyone or add selected users and groups. Microsoft will remove the admin controls and enforce number matching tenant-wide for all Microsoft Authenticator push notification users starting May 8, 2023. Relevant services will begin deploying these changes after this date, and some users may see number match in approval requests while others may not.
Number matching is considered a significant security upgrade to traditional second-factor notifications in Microsoft Authenticator. It adds an additional layer of security by requiring users to match the numbers displayed in the authentication request to those displayed in their Authenticator app.
Additionally, Microsoft suggests that users add an additional defense line against MFA fatigue attacks by limiting the number of MFA authentication requests per user and locking the user account after a certain number of failed attempts.
Push bombing or MFA push spam, which is used in MFA fatigue attacks, is a form of social engineering. It involves bombarding targets with push notifications that ask them to approve attempts to log into their corporate accounts using stolen credentials.
Repeated malicious push requests can cause targets to give in and approve the requests, either by mistake or to stop the seemingly endless stream of alerts, allowing attackers to log into their accounts.
This new policy will be enforced across all Microsoft Authenticator push notification users to protect against MFA fatigue attacks.
By enforcing number matching, Microsoft hopes to prevent social engineering attacks that can result in the theft of valuable information from high-profile organizations.
