Cyber Resilience – Microsoft Universally Enables Number Matching for Microsoft Authenticator

Microsoft announced the implementation of number matching for push notifications via Microsoft Authenticator in an effort to counter the increasing prevalence of multi-factor authentication (MFA) fatigue attacks. Number matching, which has been promoted by CISA, creates an additional authentication step for users. After logging into a service and having an MFA request pushed to their phone, the service will present them with a number they must enter into the Authenticator app. If a victim is being targeted by an MFA fatigue attack, this step reduces the ability to simply accept a push notification in an effort to make the attacker-generated deluge of notifications stop. Likewise, it’s a stop-gap for users who many have accidentally accepted a push notification. This change began rolling out May 8, 2023. For utilities that utilize Microsoft Authenticator for MFA, it may be practical to advise users of this enhanced requirement. Read more at Microsoft.