SIRKit

Microsoft Authenticator MFA security enhancements are coming

October 6, 2022

MFA (Multi-Factor Authentication) is a must for all online services. According to Microsoft, this simple security feature eliminates 99.9% of account-based attacks. If you already use Microsoft Authenticator for Office or Microsoft 365, you can expect a small but security-focused change to the approval process in a few months. We touch on it below.

Multi-Factor Authentication is highly effective because the user is notified when someone tries to log in, and they have the opportunity to approve or deny it. This essentially means even if a third party has the username and password, access is blocked unless explicitly authorized by the user on their mobile device. Additionally, the user is made aware that someone has their credentials, allowing the opportunity to change the password immediately. Therefore, MFA is a standard and can no longer be considered an optional security feature. Not using MFA is considered negligent, and cyber-security insurance requires it.

MFA has been available for Microsoft 365 for years using the Microsoft Authenticator app. The primary benefit is its built-in push notifications allowing you to instantly approve or deny login attempts. As an added perk, the app now supports Microsoft’s new Passwordless login features (which we’ll discuss in another article).

If you use Microsoft Authenticator or plan to, Microsoft will introduce additional enhancements you should be aware of.

Here’s what you can expect to see soon:

Microsoft Authenticator - New Features

App is the requesting application (informational)

This allows the user to understand which system or service is trying to access the account. For example, the application or service name is provided if Microsoft 365 is used to log into third-party services

Location (informational)

This lets you know where the login request came from.

Number Matching (behavioural)

Instead of simply approving a login request, you must provide a two-digit number. This change introduces a human step to avoid mistakes or complacent behaviour. In the example above, the user is presented with “88” on the login page and enters it into the Microsoft Authenticator app on their mobile device.

The SIRKit team has tested the incoming changes, and the experience is excellent. The extra security and enhanced data are valuable. Although for those using a conventional code with an alternative MFA app, your MFA experience appears unchanged, and the additional protection will not protect you. Therefore, we highly recommend switching to Microsoft Authenticator, which is required if you plan to use Passwordless login.

Check out this article with your IT team if you’re interested in activating these new features before Microsoft’s general roll-out. Alternatively, call us if you need a fantastic Managed IT partner, and we’ll take care of it for you.