In order to combat “MFA fatigue” Microsoft is phasing out the Approve/Deny function of its Microsoft Authenticator app in favor of the currently optional number matching feature. Number matching, which has been available on the Authenticator app since November 2022 for early adopters, will soon be implemented as the standard for all users of the Microsoft Authenticator app.

When the final rollout happens on February 27, 2023 any old versions of the Microsoft Authenticator app without the number matching feature enabled will fail to work. If your company hasn’t already opted in, you should consider enabling it now to ensure a smooth transition.

What is Number Matching?

Microsoft calls number matching “a key security upgrade” to multi-factor authentication. Number matching adds a new step to the MFA process. In practice, it represents a very small change: when a user attempts to log into the system, the login screen will prompt them with a number to enter into the Microsoft Authenticator app on their mobile device. Instead of clicking to approve or deny the request, the user just has to enter a number.

As simple as that may seem, it represents a significant increase in security. This additional step in the MFA request – this confirmation number – acts as a direct connection linking the login portal and the Authenticator app, ensuring that the user isn’t inadvertently approving the wrong MFA request. As unlikely as that situation may sound, it’s exactly the problem number matching is made to fix.

What is MFA Fatigue?

MFA fatigue happens when a user is required to use multi-factor authentication repeatedly throughout their day. Like any habit, it can become a routine and even reflexive process. This can lead to laziness, shortcuts, and a lack of attention being paid to what should be treated like the critical security procedure it is. MFA is a key defense against cyber-intrusion, and lax usage can open the door to what are known as MFA fatigue attacks.

MFA Fatigue Attacks

Much like phishing, MFA fatigue attacks are a form of social engineering where people are the core target, not technology. During an MFA fatigue attack, someone attempting to break into the system will send a user MFA requests, hoping the user accepts them as valid. Perhaps the user thinks it’s just a system malfunction, or they’re just so used to hitting “Approve” they do it without thinking. If that user is suffering from MFA fatigue and responds to a fraudulent request without realizing, it opens the door for the attacker.

How does number matching fight MFA fatigue attacks? To put it simply: number matching ensures that a user cannot approve an MFA request that wasn’t sent from the device they are currently accessing.

More Than Numbers

To enable number matching ahead of the February 27 deadline you can access the rollout controls in the Azure AD Portal or by using Graph APIs, but that’s not all you can do! Microsoft Authenticator offers another layer of security by being able to display additional context. The Authenticator app can show the geolocation of the request and the application from which it was sent, giving the user even more confirmation they are approving a valid request.

As with all things cybersecurity, the most critical thing is awareness; not only of the threats, but also the technologies and techniques that defend against them. People, not technology, are the first line of defense against cyber-attack. When the time comes that your employees have to put a number into their Microsoft Authenticator app, they should know why they have to put a number into the app. Though MFA may at times seem like a burden, knowing how it works is a reminder of why it is so important.