Microsoft Authenticator Enables Number Matching By Default to Block MFA Fatigue Attacks


Last year, Microsoft released support for number matching in push notifications for its Microsoft Authenticator app. Starting today, the number matching feature will become the default experience for all Authenticator users worldwide.

Microsoft’s Authenticator app’s number matching feature requires users to type the number displayed on the sign-in screen to approve access requests. It helps to counter Multi-Factor Authentication (MFA) fatigue attacks that rely on push notification spam. MFA fatigue attacks occur when a threat actor spams the victim with MFA push notifications. It’s a social engineering tactic that is used to gain unauthorized access to a corporate network.

With this release, Microsoft will enable the number matching feature for all supported cloud services. Users will also see additional context (such as the app’s name and the login location) to prevent accidental approvals.

“Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting May 8, 2023,” Microsoft explained.

Microsoft Authenticator Enables Number Matching By Default to Block MFA Fatigue Attacks

Microsoft suggests users to upgrade to the latest version of Microsoft Authenticator on their mobile devices. However, the authentication process will fail for users running older versions of the app that lack support for number matching.

Microsoft Authenticator number matching won’t be available for Apple Watch users

According to Microsoft, the number matching security protection will also be required for Self Service Password Reset (SSPR) and combined registration flows. The AD FS adapter will also require the feature on Windows Server versions 2022, 2019, and 2016. However, number matching won’t be available on Apple Watch devices.

“As services deploy, some may see number match while others don’t. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance,” Microsoft added.

As MFA fatigue attacks continue to rise, it has become crucial for organizations to implement robust security measures to protect end users. The number matching feature provides an additional layer of security to prevent potential threats and breaches.