Security News > 2023 > May > Microsoft enforces number matching to fight MFA fatigue attacks

Microsoft has started enforcing number matching in Microsoft Authenticator push notifications to fend off multi-factor authentication fatigue attacks.

As previously announced, Microsoft will start enforcing number matching for Microsoft Authenticator MFA alerts to block MFA fatigue attack attempts across tenants beginning today.

"Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting May 8, 2023," Microsoft says.

To manually enable number matching before Microsoft removes the admin controls, you have to go to Security > Authentication methods > Microsoft Authenticator in the Azure portal.

On the Configure tab, for Require number matching for push notifications, change Status to Enabled, choose who to include or exclude from number matching, and click Save.

Those who want to add an additional defense line against MFA fatigue attacks can also limit the number of MFA authentication requests per user and lock the accounts or alert the security team/domain admin when those thresholds are exceeded.

News URL

https://www.bleepingcomputer.com/news/microsoft/microsoft-enforces-number-matching-to-fight-mfa-fatigue-attacks/