Register now for better personalized quote!

Microsoft Authenticator gains feature to thwart spam attacks on MFA

Oct, 28, 2022 Hi-network.com
Image: Getty Images/MoMo Productions

Microsoft has rolled out 'number matching' in push notifications for its multi-factor authentication (MFA) app Microsoft Authenticator.

The new advanced feature is generally available in Microsoft Authenticator and should help counter attacks on MFA that rely on push notification spam.

More Microsoft

  • Is Windows 10 too popular for its own good?
  • The best Windows laptop models: Comparing Dell, Samsung, Lenovo, and more
  • Here's why Windows PCs are only going to get more annoying
  • How to downgrade from Windows 11 to Windows 10 (there's a catch)

Researchers earlier this year spotted so-called 'MFA fatigue attacks' on Office 365 users, where attackers repeatedly trigger MFA push notifications while trying to log in to a victim's account with an already compromised password. The attacker hopes at some point the victim is worn down or distracted enough by the notifications to accidentally approve the login attempt.

Also:iPhone 14 Pro vs. iPhone 13 Pro: Is the newest iPhone worth the upgrade?

With number matching enabled, the Authenticator app requires the user to type in the number displayed on the sign-on screen when approving an MFA request rather than just hitting 'approve'. This is going to be a handy feature for admins whose users have been caught out by this attack on MFA.

For now, admins can enable number matching in Authenticator, but Microsoft plans to make it the default for all Authenticator users in February 2023, according to Alex Weinert, Microsoft's VP director of identity security.

Admins can also use configure Authenticator to use location context and application context to prevent accidental approvals. 

Microsoft has published instructions for configuring number matching, which can be enabled by group or other filters, and notes that number matching isn't supported on Apple Watch notifications. The admin roll out controls will be removed after number matching becomes the default for the Authenticator app.

Also, now Authenticator on iOS uses App Transport Security (ATS), a security feature Apple introduced in iOS 9 in 2015 to enforce secure connections over the internet. However, ATS needs to be enabled by app developers and researchers in 2019 found that 67% of 30,000 scanned apps had ATS completely disabled.

Image: Microsoft

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.