Microsoft Authenticator mandates number matching to counter MFA fatigue attacks

Microsoft Authenticator: Microsoft logo on an office building
(Image credit: Getty Images)

Microsoft Authenticator will now enforce number matching for all push notifications to make multi-factor authentication (MFA) less susceptible to social engineering attacks.

High-profile cyber criminals have seen success exploiting MFA fatigue attacks. These involve sending a barrage of MFA push notification requests to organizations’ staff, often at unsociable hours, to manipulate them into authenticating a login attempt just to clear the frustrating notifications.

Number matching involves opening a push notification, launching Microsoft Authenticator, and entering a series of numbers that appear in the app in order to approve the login attempt.

The technique has been around for years and marries the authentication methods of MFA and two-factor authentication (2FA).

These numbers usually reset after a given time period, like 30 seconds, and add an additional layer of interaction to help reduce the risk of successful social engineering attacks.

In a typical attack scenario, recipients of the constant notifications are often asleep and wake up to a series of loud alerts from their smartphone. 

Half asleep, the attack can see success when staff simply approve login attempts so they can get back to sleep, for example.

Adding another manual layer increases the difficulty in quickly approving requests, making the process more manual and potentially allowing more time for the recipient to realize that the event is being triggered by a bad actor.

Number matching in Microsoft Authenticator

(Image credit: Microsoft)

“As relevant services deploy, users worldwide who are enabled for Authenticator push notifications will begin to see number matching in their approval requests,” said Microsoft in its Active Directory (AD) documentation

“Users can be enabled for Authenticator push notifications either in the Authentication methods policy or the legacy multifactor authentication policy if Notifications through mobile app is enabled.”

Microsoft said number matching will be applied as standard to a number of different authentication scenarios. 


Webinar screen with host image top right and centre image of man using a smartphone surrounded by brand logos including Salesforce

(Image credit: Okta)

Why MFA, why now?

A discussion with Okta and Salesforce on the new MFA requirement


Users attempting a self-service password reset (SSR) will also have to use MFA number matching to complete the process. 

Number matching will also be enforced for combined registration in Azure AD and the AD FS adapter for Windows Server.

Microsoft clarified that users cannot opt out of number matching, but there may be some scenarios that don’t enforce it, such as in MFA Server, which is deprecated, and with old versions of Authenticator which will no longer work, requiring an update.

The AD portal may also still show the setting to enable number matching manually, but Microsoft said that you may just need to refresh the browser in order to see the update.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.