Microsoft MFA Update in May 2023 – Number Matching

MFA should be a standard at this point for organizations. Using only a username and password alone for any cloud service is just asking that your account or your users’ accounts be compromised.

Users sign into cloud services potentially many times, however. For example, a user may sign into these typical Office 365 applications:

  • Outlook
  • Word
  • OneDrive
  • Teams

Each one will require an MFA notification to allow the user to sign in completely. Now if the user uses any of these on their mobile devices, those applications would also require an MFA prompt to allow sign in. So far in this example we have 8 possible different applications that may from time to time prompt the user for an MFA approval. If the user is using the standard Microsoft Authenticator app and push notifications, they would be greeted with the Approve/Deny experience potentially each time. There would be little additional information around the request such as which application is requesting permission to sign in or where in the world is this request coming from?

Solution to MFA Fatigue

This is where MFA fatigue is introduced. The confusion of which app is requesting permission (perhaps Microsoft OneDrive crashed, relaunched, and needs a fresh sign in) or the simple behavior of just clicking things away has caused people time and time again to approve an MFA authentication request, when the person really doesn’t know what they are approving.

The protection of having MFA enforced on an account is now wasted because the bad actor who has the username and password will now take advantage of the person’s fatigue against whether to approve MFA or not. The person clicks approve and now the bad actor has access.

Microsoft realized that this is a problem and has introduced a solution—number matching.

Instead of a person being presented with a vague Approve/Deny experience, they are presented with a number pad with a request to enter a number. If the person really isn’t trying to sign into something, they won’t know the number to enter, and therefore could not unknowingly allow the bad actor access to their account.

If you use Microsoft Authenticator you may have noticed this change happen for your account already. That is because beginning May 8, 2023, Microsoft enabled all Authenticator push notifications to use number matching instead of the original Approve/Deny experience.

Microsoft has put some information regarding MFA with number matching available here:

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author