Tag: MFA

Posted on

Microsoft Authenticator now protects against “MFA Bombing” .

The Microsoft Authenticator is getting a backend upgrade in which it now be able suppresses risky sign notifications in an attempt to mitigate against “MFA fatigue” caused by this new attack tactic called MFA bombing. As a big internal advocate of passwordless within my own organisation this is great news…

What is MFA Bombing

“MFA Bombing”, is an attack method in which attackers continually try to logon from unfamiliar locations causing an influx of MFA prompts aimed to truck the user to click accept and allow the sign in since they get sick of dismissing notifications. This is known as MFA bombing attacks.

Microsoft say that this new policy should address the root cause of this growing security breach method.

How Microsoft Authenticator protects against MFA Bombing

In response to this, Microsoft’s Authenticator app will now automatically suppress notifications that come from “risky signins” based on number matching, a MFA method that requires users to verify their identity by entering a numerical code displayed on the screen.

This is aimed to protect users that use the “approve only method” but acts on any method used. Microsoft will now suppress Authenticator notifications when a request is deemed to pose potential risks, such as when the request originates from an unfamiliar location or is exhibiting other anomalies such as repetitive requests (or bombing).

We now suppress Authenticator notifications when a request displays potential risks, such as when it originates from an unfamiliar location or is exhibiting other anomalies. This approach significantly reduces user inconvenience by eliminating irrelevant authentication prompts.

Microsoft.

With this feature, and in the event of a login request that looks risky, the standard notification will not be sent to the users device via the authenticator app. Instead, the user (or attacker) will receive a notification on screen (where they are trying to logon) and be told to “Open your Authenticator app and enter the number shown to sign in,”.

When the user opens the Authenticator App, the request will be available for the user and they can sign in…..

Since no notification will be shown on the users mobile authenticator app, if the request was not made by the user, no notification will be displayed so the request will time out.

This significantly reduces user inconvenience by eliminating irrelevant and known risky authentication prompts.

Microsoft recommend “number matching”

Whilst these additional protections are great, it’s recommended that organisations look to implement number matching (if not enabled by default) to enhances the security of the sign-in process by requiring users to enter a sequence of numbers that are displayed on the sign-in screen when approving an MFA request in the Authenticator app. This has a number of immediate benefits over simple approve/deny options including:

  • It prevents accidental approvals by making sure that you are aware of the sign-in request and have access to the sign-in screen.
  • It defends against MFA fatigue attacks, which are spamming attempts to trick people into approving access requests by sending you multiple notifications.
  • It provides an additional layer of security by verifying that the device or app that generates the numbers is the same as the one that receives the approval request.

The implementation of number matching, is a grest way forward and has been extremely successfully in preventing attackers that engaging in MFA fatigue / bombing attacks.

Combined with the new suppression technology for known attacks , Microsoft say that this change has already prevented more than 6 million MFA notifications since September 2023.

Number matching in MFA is available for the Microsoft Authenticator app and can be enabled by IT admins for different scenarios, such as multifactor authentication, self-service password reset, combined registration, AD FS adapter, and NPS extension.

Posted on

Microsoft “Authenticator app” now lets users change their passwords directly from the app

The Microsoft Authenticator app on Android has been updated and now lets users change security information and passwords right from within the app. This update also lets users view recent sign in activity, such as recent login attempts or changes to their account. This features update bring the android version upto date with the iOS version, which got this update back in May.

With the updated version, users can tap on the account name in the app which then opens a full-screen page for that account’s settings. Here it provides the one-time passcode for second-factor authentication, along with other options such as changing the password, updating security information, reviewing recent activity, and removing the account from authenticator should you wish.

These options are presented directly inside the app in a kind of in-line browser that lets users perform these actions without needing to switch to a browser or make these changes on the web. This works for corporate accounts as well as personal Microsoft accounts such as those with personal Microsoft 365 accounts.

Note: the account management options are not be available to Azure AD accounts as Microsoft want to empower IT admins to choose which options are made available to users from the Authenticator App.

Users can download the Microsoft Authenticator app for Android from the Google Play Store here.

Proudly powered by WordPress