Inviso

Authenticator features that help combat MFA fatigue attacks

By December 1, 2022 December 9th, 2022 No Comments
Authenticator circuit image

To help solve a problem with multifactor authentication called MFA fatigue attacks, Microsoft added new features to the Microsoft Authenticator app. In this post, I’ll share my take on what this means for you.

What is an MFA fatigue attack? It’s quite simple. You know the MFA push notifications you receive when you’re attempting to log in? Imagine if a bad actor knew your password and tried to log in repeatedly. You would receive hundreds of approve or deny requests…eventually you would get tired of these requests and maybe even approve the request to stop the behavior.

In even more sophisticated attacks, the threat actor will even pose as a member of the IT department to inform the user that it’s ok to accept the MFA request to make it to stop.

Note: A typical IT department would not do this. Instead, if anything similar ever happens to you, please reach out to your IT department as soon as possible.

To address these scenarios and help make Authenticator more secure for users, Microsoft added the number matching and additional context for passwordless sign-on features. These became available for public review in November 2021 and moved into general availability on October 21, 2022.

How to roll out the new features

If you’re interested in enabling these capabilities for your organization, you should first know that there’s a base requirement that users need to have Microsoft Authenticator set up as an authentication method for Azure AD.

With that in place, I highly recommend that you first create an Azure AD security group that will be used for these new features to help ensure a smooth, controlled roll-out throughout your organization.

Next, navigate to the security blade within the Azure AD portal at https://aad.portal.azure.com. Select authentication methods, pick Microsoft Authenticator, then click on the Configure tab and enable these features:

  • Require number matching for push notifications
  • Show application name in push and passwordless notifications
  • Show geographic location in push and passwordless notifications

In the following example I am using a group I created called MSFT Authenticator New Features as the target. The goal is to enable all the new features for this group only, so the entire organization is not impacted.

Microsoft Authenticator Feature Enablement

Number matching user experience

Now that these features are enabled for our organization, I have added a test user into the MSFT Authenticator New Features group. The next time this user connects to a Microsoft 365 URL, instead of the traditional approve/deny prompts, they are prompted with a number matching prompt!

Authenticator Feature Mobile

Location and application aware context with number matching

In the GIF above, I enabled all three of these settings targeting the test group. This means that the location will display along with the application and the number matching feature — see for yourself:

Authenticator Feature Mobile

In this example, the user is navigating to the Office homepage https://portal.office.com from their home address, where they are still prompted for number matching. This provides the ultimate peace of mind as it displays where the authentication request came from (location), where the authentication request is going (application), and still requires that the user matches the numbers.

I hope this post detailing some of the newly released Microsoft authenticator features and instructions on how to deploy these throughout your organization is helpful. If you have any questions, please reach out to info@invisocorp.com, we are here to help!

Ted Martin

Author Ted Martin

More posts by Ted Martin