Microsoft Authenticator MFA security enhancements are coming February 27, 2023

Kris WilkinsonFebruary 13, 2023

Cyber-Security Advisories Cyber-Security News/Blog

Effective February 27, 2023, Microsoft is making number matching the default authentication method for their MFA (Multi-Factor Authentication) system. The incoming change improves security by ensuring users don’t accidentally click “Yes” or ignore the importance due to MFA fatigue.

Multi-Factor Authentication for Microsoft 365 is a critical security feature that requires a user to approve a login attempt using their mobile device. A simple prompt is displayed, and the user can reject the attempt if it wasn’t them.
The most important thing to remember? MFA is only displayed when a successful login attempt is made. In other words, the user’s credentials are known and being used successfully. MFA is highly effective because the user is now aware that their credentials are known, they have the opportunity to reject the login attempt, and they can change their password immediately.

What is MFA Number Matching, and why has Microsoft made the change?

On February 27, 2023, the basic “Yes” or “No, it’s not me” options presented during the MFA process will be enhanced to include a random number. The random number must be entered during approval (see the images below for examples).

Here’s what you can expect to see soon:

Microsoft Authenticator - New Features
App is the requesting application (informational)

This allows the user to understand which system or service is trying to access the account. For example, the application or service name is provided if Microsoft 365 is used to log into third-party services

Location (informational)

This lets you know where the login request came from.

Number Matching (behavioural)

Instead of simply approving a login request, you must provide a two-digit number.

Why is Microsoft doing this?

This change introduces a human step to avoid mistakes or complacent behaviour. In the example above, the user is presented with “88” on the login page and enters it into the Microsoft Authenticator app on their mobile device. The change ensures users don’t accidentally click “Yes” or ignore the importance due to MFA fatigue.

What you need to do to prepare

  • Inform your team and make sure they aren’t surprised
  • Users leveraging third-party MFA apps like Google Authenticator for Microsoft 365 do not benefit from numerous Microsoft security enhancements (like this one). We highly recommend switching to Microsoft Authenticator to improve security and enable push notifications (they’re faster!).

The SIRKit team has tested the incoming changes, there were no issues. The extra security and enhanced information are valuable.

Check out this article with your IT team if you’re interested in activating these new features before Microsoft’s general roll-out. Alternatively, call us if you need a fantastic Managed IT partner, and we’ll take care of it for you.