Number Matching Is Coming, Whether You Want It Or Not
If you use Azure AD Multi-Factor authentication, then you should be aware that as of 27th February 2023, Microsoft will begin enforcing number matching with MFA requests using the authenticator app. So what does this mean?
What is Number Matching
If you’ve used Azure AD MFA push notifications using the authenticator app, you’ll be familiar with the popup you get when logging in, asking you to confirm your request.
The problem with this approach is MFA fatigue. People get a lot of MFA prompts throughout the day, so it’s common for people to approve an authentication request as soon as it pops up without even thinking about whether or not they have done something to trigger it. This makes it much easier for an attacker to compromise an MFA-protected account. All it takes is one approval for an attacker’s request for them to be able to get into an account and do a lot of damage.
To combat this, Microsoft is introducing number matching. Number matching means that when a user is asked for an MFA response, they are also presented with a number on the page or app where the authentication is happening.
The user then receives the MFA prompt on their mobile device authenticator app, but in this scenario, there is an extra field in the popup asking for this number:
The user must enter the matching number from the requesting page. If they don’t, then they can’t approve it. It’s a simple feature, but it eliminates the chance of a user accidentally approving a request triggered by an attacker, as they won’t know the number the attacker sees.
Number Matching on Mobile
One slightly tricky scenario for Number matching is when you log into a site or app on your mobile device, which is also the device you use for the authenticator app. Logging in will trigger the authenticator app to show you the number, but then very quickly, it will also open the response prompt on the same device. This can lead to you being unable to see the number you need to enter. To combat this, in this scenario, the response prompt will have an additional button for “Can’t See Number”, which will hide the prompt for a few seconds so you can view the number.
Enforcing Number Matching
Given its security benefits, Microsoft has decided to enforce number matching, so at some point, after the 27th of February 2023, the option to disable this in your AAD tenant will no longer be available. Once this occurs, all users will receive number-matching prompts when they trigger an MFA request.