Microsoft disarms push notification bombers with number matching in Authenticator

Microsoft is hoping to curb a growing threat to multi-factor authentication (MFA) by enforcing a number-matching step for those using Microsoft Authenticator push notifications when signing into services.

Starting this week, Redmond is putting some muscle behind a number-matching feature that it began talking about last year. It said there were rising numbers of cyberattacks using MFA fatigue, also known as MFA push spamming and push bombing.

Two-factor authentication (2FA) and MFA are strategies for verifying users trying to log on to websites, accounts or services, and are part of the larger drive for zero-trust architectures, which take the position that anything or anyone trying to climb onto a network can't be trusted or given access until verified.

MFA can come in the form of a one-time code you enter, or an app on a linked device that pops up a notification asking if a login attempt is legit. If someone is trying to login as you, you can decline access. If it's you trying to get in, you can approve the login.

Attackers are finding ways around MFA protections, such as through phishing, and, in this case, MFA fatigue, a social engineering effort in which attackers use stolen credentials to try to sign into a protected account quickly and repeatedly, overwhelming potential victims with push notifications asking for login approval.

Initially the targeted individual will likely hit the prompt to indicate it isn't them trying to sign in, but may be worn down in the spamming onslaught and eventually accept the login to stop the harassment. Essentially, MFA is supposed to thwart those using stolen login credentials, but in reality, the protection measure can be bypassed by exploiting the human element: spamming users with notifications on their devices until they assume it's a bug and hit accept. At that point, the miscreant is in your account.

It's a threat Microsoft, among other vendors and security pros, has been tracking for a couple of years. Redmond saw almost 41,000 Azure Active Directory Protection sessions with multiple failed MFA attempts in August 2022, compared with 32,442 a year earlier, and noted that such attacks had "become more prevalent."

MFA fatigue also is one of any number of reasons Microsoft is leaning on in an industry push – and that of others, including Google and Apple – to do away with passwords entirely as a verification tool.

There were some high-profile attacks last year that featured MFA fatigue schemes. The Yanluowang ransomware gang used it in an strike against Cisco while the Lapsus$ group leaked 37GB of source code stolen from Microsoft after compromising an employee via MFA fatigue. Uber was also hit by Lapsus$ via such an attack, it's reported.

• Microsoft may charge different prices for Office with or without Teams
• Microsoft touts bigger, faster Azure VMs as data deluge grows
• AWS, Microsoft make finding important admin info less frustrating
• Microsoft helps devs create chatbots – because who needs human interaction anyway?

In October 2022, Microsoft introduced number matching as an option, as well as other security features like location and application context, in Microsoft Authenticator. Now, number matching is automatically being enabled for all push notifications in Authenticator.

"As relevant services deploy, users worldwide who are enabled for Authenticator push notifications will begin to see number matching in their approval requests," the vendor wrote in an Azure support note this week. "Users can be enabled for Authenticator push notifications either in the Authentication methods policy or the legacy multifactor authentication policy" as long as notifications through the mobile app is enabled."

The note also said that number matching doesn't support push notifications for Apple Watch or Android wearable devices. "Wearable device users need to use their phone to approve notifications when number matching is enabled," Microsoft wrote.

When it's enforced, Authenticator users responding to a MFA push notification will be presented with another number that they'll need to type into whatever app is being logged into to complete the process. Authenticator users will not be able to opt out of the feature. It effectively adds a one-time code element to the push notification approach.

Some services will begin deploying the changes starting this week and "users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all users, we highly recommend you enable number match for Authenticator push notifications in advance."

The number matching also will work in other scenarios with Authenticator, including self-service password reset (SSPR), AD FS adapters (on support Windows Server versions), and combined MFA and SSPR registration when setting up Authenticator.

For Windows users who don't use Authenticator, their default sign-in method won't change, according to Redmond. ®