The Microsoft Authenticator is getting a backend upgrade in which it now be able suppresses risky sign notifications in an attempt to mitigate against “MFA fatigue” caused by this new attack tactic called MFA bombing. As a big internal advocate of passwordless within my own organisation this is great news…
What is MFA Bombing
“MFA Bombing”, is an attack method in which attackers continually try to logon from unfamiliar locations causing an influx of MFA prompts aimed to truck the user to click accept and allow the sign in since they get sick of dismissing notifications. This is known as MFA bombing attacks.
Microsoft say that this new policy should address the root cause of this growing security breach method.
How Microsoft Authenticator protects against MFA Bombing
In response to this, Microsoft’s Authenticator app will now automatically suppress notifications that come from “risky signins” based on number matching, a MFA method that requires users to verify their identity by entering a numerical code displayed on the screen.
This is aimed to protect users that use the “approve only method” but acts on any method used. Microsoft will now suppress Authenticator notifications when a request is deemed to pose potential risks, such as when the request originates from an unfamiliar location or is exhibiting other anomalies such as repetitive requests (or bombing).
We now suppress Authenticator notifications when a request displays potential risks, such as when it originates from an unfamiliar location or is exhibiting other anomalies. This approach significantly reduces user inconvenience by eliminating irrelevant authentication prompts.
Microsoft.
With this feature, and in the event of a login request that looks risky, the standard notification will not be sent to the users device via the authenticator app. Instead, the user (or attacker) will receive a notification on screen (where they are trying to logon) and be told to “Open your Authenticator app and enter the number shown to sign in,”.
When the user opens the Authenticator App, the request will be available for the user and they can sign in…..
Since no notification will be shown on the users mobile authenticator app, if the request was not made by the user, no notification will be displayed so the request will time out.
This significantly reduces user inconvenience by eliminating irrelevant and known risky authentication prompts.
Microsoft recommend “number matching”
Whilst these additional protections are great, it’s recommended that organisations look to implement number matching (if not enabled by default) to enhances the security of the sign-in process by requiring users to enter a sequence of numbers that are displayed on the sign-in screen when approving an MFA request in the Authenticator app. This has a number of immediate benefits over simple approve/deny options including:
- It prevents accidental approvals by making sure that you are aware of the sign-in request and have access to the sign-in screen.
- It defends against MFA fatigue attacks, which are spamming attempts to trick people into approving access requests by sending you multiple notifications.
- It provides an additional layer of security by verifying that the device or app that generates the numbers is the same as the one that receives the approval request.
The implementation of number matching, is a grest way forward and has been extremely successfully in preventing attackers that engaging in MFA fatigue / bombing attacks.
Combined with the new suppression technology for known attacks , Microsoft say that this change has already prevented more than 6 million MFA notifications since September 2023.
Number matching in MFA is available for the Microsoft Authenticator app and can be enabled by IT admins for different scenarios, such as multifactor authentication, self-service password reset, combined registration, AD FS adapter, and NPS extension.