Microsoft Enforces Number Matching in Authenticator to Combat MFA Fatigue Attacks

Microsoft has introduced a new security upgrade to Microsoft Authenticator push notifications called “number matching” to combat multi-factor authentication (MFA) fatigue attacks.

MFA fatigue attacks involve cybercriminals bombarding targets with push notifications requesting approval for log-in attempts using stolen credentials. The targets may give in to the repeated malicious MFA push requests, allowing the attackers to log into their accounts.

The success of this social engineering attack method has been proven by Lapsus$ and Yanluowang threat actors who have breached high-profile organizations, including Microsoft, Cisco, and Uber, among others.

Number matching is a key security upgrade to traditional second-factor notifications in Microsoft Authenticator. This upgrade removes the admin controls and enforces number matching experience tenant-wide for all users of Microsoft Authenticator push notifications from May 8, 2023.

Relevant services will deploy these changes starting May 8, 2023, and users will start to see the number match in approval requests. However, some services may deploy the feature later than others.

Manually Enabling Number Matching

To manually enable number matching before Microsoft removes admin controls, go to Security > Authentication methods > Microsoft Authenticator in the Azure portal.

On the Enable and Target tab, click Yes and All users to enable the policy for everyone or add selected users and groups.

Set the Authentication mode for these users/groups to Any or Push.

On the Configure tab, for Require number matching for push notifications, change Status to Enabled, choose who to include or exclude from number matching, and click Save.

Users can also enable number matching for all users or a single group using Graph APIs.

Additional Defense Against MFA Fatigue Attacks

Those who want to add an additional defense line against MFA fatigue attacks can limit the number of MFA authentication requests per user using Microsoft, DUO, Okta, or other platforms.

They can also lock the accounts or alert the security team/domain admin when these thresholds are exceeded.

Impact of Number Matching on MFA Fatigue Attacks

Number matching will help to reduce the number of false positives in MFA push notifications and ensure that only genuine notifications are sent to users.

This will, in turn, reduce the number of MFA fatigue attacks that targets have to face.

As Microsoft has started enforcing number matching for MFA alerts, it is expected that other MFA providers will also adopt similar measures to combat push bombing or MFA push spam.

Limitations of Number Matching

While number matching is an effective defense against MFA fatigue attacks, it is not foolproof. Cybercriminals can still use social engineering techniques to trick users into approving fake requests. Therefore, it is crucial to educate users about the risks of MFA fatigue attacks and how to spot fake requests.

Additionally, organizations should implement other security measures such as monitoring user behavior, using threat intelligence tools, and deploying security solutions that can detect and prevent attacks before they happen.

Multi-factor authentication is an essential security measure to protect against cyberattacks. However, MFA fatigue attacks can compromise this security measure, putting sensitive data at risk.

With the introduction of number matching, Microsoft has taken a significant step towards combating MFA fatigue attacks. Organizations should follow suit and adopt similar measures to safeguard their systems and data against cyber threats.