Beginning May 8, 2023, Microsoft will start enforcing number matching for all users who have MFA enabled on their Microsoft 365 account. Number matching in authentication procedures refers to displaying a number on one device (typically a cell phone, wherever you may have the Microsoft Authenticator app), and choosing the number that matches what is displayed on your computer login screen.
It is a method that increases security, and a move from Microsoft to lessen phishing attempts via MFA fatigue. MFA fatigue was seen famously earlier this year with the security breach from Uber. In an MFA Fatigue attack, threat actors will send countless requests for logins, to the extreme point that users may accept the request, just to stop the notifications.
Though Microsoft will begin to deploy number matching starting May 8, they recommend enabling number matching for your organization now, in order to guarantee a seamless transition.
Number matching is supported in the following scenarios:
- Multifactor authentication
- Self-service password reset
- During Authenticator app set up
- Azure FS adapter
- NPS adapter
In addition to number matching, Microsoft will start providing more context to sign-in requests, namely location of sign-in attempt and which app is requesting a sign-in.
At the TEC 2022 conference, Microsoft VP for Identity Security, Alex Weinert, reported a measly 26.84% of Microsoft 365 users who have enabled multifactor authentication. For administrators in a company, that number crawls up to 34.15%. If you are not requiring MFA on your Microsoft accounts, you are leaving your business and your data at risk. Please contact SpireTech for assistance with enforcing MFA on your Microsoft 365 accounts.
With the updates coming later this month, Microsoft Authenticator will have the same level of security as Windows Hello and FIDO-2 keys.
These small changes add multiple layers of security to any organization and are far worth the annoyance of a few more steps before a login. Human error leads to most security breaches—secure your organization with the additional step as soon as you comfortably can.