Microsoft is hoping to curb a growing threat to multi-factor authentication (MFA) by enforcing a number-matching step for those using Microsoft Authenticator push notifications when signing into services.
Starting this week, Redmond is putting some muscle behind a number-matching feature that it began talking about last year. It said there were rising numbers of cyberattacks using MFA fatigue, also known as MFA push spamming and push bombing.
Two-factor authentication (2FA) and MFA are strategies for verifying users trying to log on to websites, accounts or services, and are part of the larger push for zero-trust architectures, which take the position that anything or anyone trying to climb onto a network can’t be trusted or given access until verified.
However, attackers are finding ways around MFA tools, such as brute-force techniques and, in this case, MFA fatigue, a social engineering effort in which attackers use stolen credentials to try to sign into a protected account quickly and repeatedly, overwhelming potential victims with push notifications for verification.
Initially the targeted individual will likely hit the prompt to indicate it isn’t them trying to sign in, but may be worn down in the spamming onslaught and eventually accept the login to stop the harassment.
It’s a threat Microsoft, among other vendors and security pros, has been tracking for a couple of years. Redmond saw almost 41,000 Azure Active Directory Protection sessions with multiple failed MFA attempts in August 2022, compared with 32,442 a year earlier, and noted that such attacks had “become more prevalent.”
MFA fatigue also is one of any number of reasons Microsoft is leaning on in an industry push – and that of others, including Google and Apple – to do away with passwords entirely as a verification tool.
There were some high-profile attacks last year that featured MFA fatigue schemes. The Yanluowang ransomware gang used it in an strike against Cisco while the Lapsus$ group leaked 37GB of source code stolen from Microsoft after compromising an employee via MFA fatigue. Uber was also hit by Lapsus$ via such an attack, it’s reported.
In October 2022, Microsoft introduced number matching as an option, as well as other security features like location and application context, in Microsoft Authenticator. Now, number matching is automatically being enabled for all push notifications in Authenticator.
“As relevant services deploy, users worldwide who are enabled for Authenticator push notifications will begin to see number matching in their approval requests,” the vendor wrote in an Azure support note this week. “Users can be enabled for Authenticator push notifications either in the Authentication methods policy or the legacy multifactor authentication policy” as long as notifications through the mobile app is enabled.”
The note also said that number matching doesn’t support push notifications for Apple Watch or Android wearable devices. “Wearable device users need to use their phone to approve notifications when number matching is enabled,” Microsoft wrote.
When it’s enforced, Authenticator users responding to a MFA push notification will be presented with another number that they’ll need to type into the app to complete the process. Authenticator users will not be able to opt out of the feature.
Some services will begin deploying the changes starting this week and “users will start to see number match in approval requests. As services deploy, some may see number match while others don’t. To ensure consistent behavior for all users, we highly recommend you enable number match for Authenticator push notifications in advance.”
The number matching also will work in other scenarios with Authenticator, including self-service password reset (SSPR), AD FS adapters (on support Windows Server versions), and combined MFA and SSPR registration when setting up Authenticator.
For Windows users who don’t use Authenticator, their default sign-in method won’t change, according to Redmond. ®