Microsoft Authenticator gains feature to thwart spam attacks on MFA

By Naomi Gleit On Oct 28, 2022

Image: Getty Images/MoMo Productions

Microsoft has rolled out ‘number matching’ in push notifications for its multi-factor authentication (MFA) app Microsoft Authenticator.

The new advanced feature is generally available in Microsoft Authenticator and should help counter attacks on MFA that rely on push notification spam.

Researchers earlier this year spotted so-called ‘MFA fatigue attacks’ on Office 365 users, where attackers repeatedly trigger MFA push notifications while trying to log in to a victim’s account with an already compromised password. The attacker hopes at some point the victim is worn down or distracted enough by the notifications to accidentally approve the login attempt.

Also: iPhone 14 Pro vs. iPhone 13 Pro: Is the newest iPhone worth the upgrade?

With number matching enabled, the Authenticator app requires the user to type in the number displayed on the sign-on screen when approving an MFA request rather than just hitting ‘approve’. This is going to be a handy feature for admins whose users have been caught out by this attack on MFA.

For now, admins can enable number matching in Authenticator, but Microsoft plans to make it the default for all Authenticator users in February 2023, according to Alex Weinert, Microsoft’s VP director of identity security.

Admins can also use configure Authenticator to use location context and application context to prevent accidental approvals.

Microsoft has published instructions for configuring number matching, which can be enabled by group or other filters, and notes that number matching isn’t supported on Apple Watch notifications. The admin roll out controls will be removed after number matching becomes the default for the Authenticator app.

Also, now Authenticator on iOS uses App Transport Security (ATS), a security feature Apple introduced in iOS 9 in 2015 to enforce secure connections over the internet. However, ATS needs to be enabled by app developers and researchers in 2019 found that 67% of 30,000 scanned apps had ATS completely disabled.

Microsoft Authenticator: number matching — Image: Microsoft

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.