Microsoft Authenticator to Enable Number Matching Security Feature by Default in February 2023

Security

Last month, Microsoft introduced support for number matching to its Authenticator app. The company has announced on the Microsoft 365 admin center that the new security feature will be enabled by default for all Microsoft Authenticator users worldwide in February 2023.

With number matching enabled, the Microsoft Authenticator app requires users to type a number displayed on the screen to complete the authentication process. Microsoft notes that the feature helps to prevent accidental approvals and provides protection against multi-factor authentication (MFA) fatigue attacks.

Moreover, the additional context feature enables users to view extra information while approving a sign-in request in Microsoft Authenticator. These include the app’s name and the login location based on the device’s IP address. Microsoft says that these additional details help users to understand the validity of a sign-in request.

Microsoft Authenticator to Enable Number Matching Security Feature by Default in February 2023
Additional Context & Number Matching

Currently, Microsoft allows IT admins to configure number matching for end users in their tenant. However, the company is making number matching a default experience in its Authenticator app on February 27, 2023.

At that point, the admin controls to enable or disable the feature will be removed from the Azure AD admin center. Microsoft Authenticator will require users to do number matching otherwise their authentication will fail.

Number matching improves Microsoft Authenticator’s resistance against MFA fatigue attacks

Microsoft recommends users to install the latest version of the Authenticator app on their Android or iOS devices. However, keep in mind that the number matching feature isn’t supported on Apple Watch. Users will need to uninstall the Microsoft Authenticator Apple Watch app and approve the notifications on their mobile devices.

According to Microsoft, the number of MFA fatigue attacks spiked between December 2021 and August. The company reported 22,859 Azure AD protection sessions with multiple failed MFA attempts in December. The new number matching experience is part of Microsoft’s ongoing effort to increase security by default across Microsoft 365.