https://www.sikich.com

Microsoft MFA Update in May 2023 – Number Matching

Craig Schellenberg

Jun 28 2023

3 min read

MFA should be a standard at this point for organizations. Using only a username and password alone for any cloud service is just asking that your account or your users’ accounts be compromised.

Users sign into cloud services potentially many times, however. For example, a user may sign into these typical Office 365 applications:

Outlook
Word
OneDrive
Teams

Each one will require an MFA notification to allow the user to sign in completely. Now if the user uses any of these on their mobile devices, those applications would also require an MFA prompt to allow sign in. So far in this example we have 8 possible different applications that may from time to time prompt the user for an MFA approval. If the user is using the standard Microsoft Authenticator app and push notifications, they would be greeted with the Approve/Deny experience potentially each time. There would be little additional information around the request such as which application is requesting permission to sign in or where in the world is this request coming from?

Solution to MFA Fatigue

This is where MFA fatigue is introduced. The confusion of which app is requesting permission (perhaps Microsoft OneDrive crashed, relaunched, and needs a fresh sign in) or the simple behavior of just clicking things away has caused people time and time again to approve an MFA authentication request, when the person really doesn’t know what they are approving.

The protection of having MFA enforced on an account is now wasted because the bad actor who has the username and password will now take advantage of the person’s fatigue against whether to approve MFA or not. The person clicks approve and now the bad actor has access.

Microsoft realized that this is a problem and has introduced a solution—number matching.

Instead of a person being presented with a vague Approve/Deny experience, they are presented with a number pad with a request to enter a number. If the person really isn’t trying to sign into something, they won’t know the number to enter, and therefore could not unknowingly allow the bad actor access to their account.

If you use Microsoft Authenticator you may have noticed this change happen for your account already. That is because beginning May 8, 2023, Microsoft enabled all Authenticator push notifications to use number matching instead of the original Approve/Deny experience.

Microsoft has put some information regarding MFA with number matching available here: https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author

Craig Schellenberg

Craig Schellenberg is a Senior Network Consultant at Sikich that works with businesses to improve their IT. Being detail oriented assists in his ability to design and deploy new solutions as well as troubleshoot complex issues. His primary areas of focus are virtualization and storage on premise (whether through VMware vSphere or Microsoft Hyper-V), Microsoft Cloud services such as Azure and Office 365, Microsoft SQL design and administration, backup/DR/Business Continuance, and network route/switch/firewalls. Craig holds many certifications including his MCSE (Microsoft Certified Solutions Expert) in Productivity, Messaging, and Cloud Platform and Infrastructure. Craig also holds multiple certifications of his VCP (VMware Certified Professional) including version 3, 4 (Data Center Virtualization), 5 (Data Center Virtualization), 5 (Desktop), Cloud, and 6 (Data Center Virtualization).