Posted on May 5, 2023
Estimated reading time 5 minutes
Starting from 8th May 2023, Microsoft is introducing an extra layer of security for its users with the introduction of Number Matching MFA. This new Multi-Factor Authentication (MFA) feature will require all users of Microsoft Authenticator push authentications to match their MFA number with their account. This provides a much more secure approach to authenticate your account and is sure to give you peace of mind when accessing your data. Secure your Microsoft Authenticator today by learning more about Number Matching MFA. Are you looking for ways to increase the security of your Microsoft Authenticator? Number Matching MFA is the answer! Starting from 8th May 2023, Microsoft will be enforcing the number match experience tenant-wide, meaning all users of Microsoft Authenticator push authentications will have to use it.
What is MFA?
MFA is a critical element in your security posture. We know from Microsoft’s Digital Defence Report 2022, that in 88% of cases of ransomware incident responses, MFA was not implemented. This leaves a gap for attackers to exploit to compromise credentials and pivot further attacks using legitimate credentials.
MFA is a key part of an organisation’s identity and access management policy and goes beyond asking for usernames and passwords for authentication purposes. It makes user accounts more secure by asking for something you know such as a password, and in addition something you have, and something you are.
Multifactor authentication helps ensure that even if an attacker manages to steal your password, they will not be able to access your account without additional authentication. With MFA in place, users are prompted to verify their identity using a secondary device or application. Multifactor authentication is crucial to ensure that your organization’s data is kept secure and that your users’ accounts are not compromised. One way to implement MFA is through number matching. Multifactor authentication is a must-have security measure that all organizations should implement. It not only protects against account takeover and phishing attacks but also safeguards against identity theft. With multifactor authentication, an attacker would need to bypass not only the password but also the second factor, such as a one-time code sent to a trusted device or a biometric factor like facial recognition. In this way, multifactor authentication helps keep your data secure, ensuring that only authorized individuals have access to your systems and applications.
What is number matching?
MFA number matching is being forced for all tenants from 8th May 2023.
Number matching is a key security upgrade to traditional second-factor notifications in Microsoft Authenticator. Microsoft will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push authentications starting May 8, 2023. That means that after this date, there will be no option to exclude users or disable number matching.
For those of you already familiar with number matching, and who have implemented it, you will know that previously, you have had the option to focus on a single group (dynamic or nested). However, after the 8th May it will be enabled for all users rather than targeting a group. The Authentications method policy can support on-premises synchronised security groups and/or cloud-only security groups.
Number matching is a more secure way of ensuring that the person requesting access to your account is indeed the person they claim to be. When a user responds to an MFA push notification using the Authenticator app, they will be presented with a number that they need to type into the app to complete the approval. This number is generated based on the request, so even if someone intercepts the request, they will not be able to gain access without the number.
Number matching will now be enabled for all users rather than a single group. This allows you to ensure that all users must be authenticated in order to have access to your systems and data. Note that number matching is available for certain scenarios and is not supported for push notifications for Apple Watch or Android wearable devices.
Number matching is required for Self-service password reset (SSPR) with Microsoft Authenticator and Combined registration with Microsoft Authenticator. It provides an additional layer of security for these features, making it more difficult for attackers to gain access to your account.
Finally, it is important to note that AD FS adapter will require number matching on supported versions of Windows Server. This means that you will need to ensure that your server is up-to-date and supports number matching if you want to continue using Microsoft Authenticator for AD FS.
How does this differ from traditional second factor authentication?
Traditional second factor authentication usually involves receiving a notification or code through SMS, email, or a separate authentication app. The user is then required to input the code or approve the notification to complete the authentication process. However, this process can sometimes be vulnerable to hacking and other security risks.
Number matching, on the other hand, adds an extra layer of security to the authentication process by requiring the user to manually enter a number provided by the requesting page or app. This ensures that only authorized users can access the system and provides an additional barrier to hackers trying to breach the authentication process.
In summary, number matching MFA offers a more secure method of second factor authentication compared to traditional methods. With this added security measure being enforced for Microsoft Authenticator push authentications, users can rest assured that their accounts are better protected from unauthorized access.
When will this change take place?
The MFA number matching upgrade for Microsoft Authenticator will be enforced for all tenants from May 8, 2023. Relevant services will begin deploying these changes after this date, with some users starting to see number matching in approval requests. It is important to note that wearable device users will need their phone to approve push notifications when number matching is enabled, and unpatched versions of Windows Server may not support number matching. To ensure consistent behaviour for all users, it is recommended to enable number matching in advance and apply updates as soon as possible.
What do I need to do to prepare for this change?
As the enforcement of number matching MFA for all users of Microsoft Authenticator push authentications is only a few days away, it is important to be prepared for this change now to ensure your organization’s security. Here are some steps you can take:
1. Enable number matching: As mentioned earlier, Microsoft highly recommends enabling number matching in the near term for improved sign-in security. You can do this in the Azure portal or using Graph APIs. You can also enable it for a single group of users or for all.
2. Contact your account manager or service desk: If you are not sure how to enable number matching or need support in readiness, it is a good idea to contact your account manager or Microsoft’s service desk. They will be able to advise you on the best approach and support you through the process.
3. Educate your users: Make sure your users are aware of this upcoming change and what it means for them. You may also want to provide training on how to use Microsoft Authenticator with number matching.
4. Update your policies: Make any necessary updates to your security policies and procedures to reflect this change and ensure compliance.
By taking these steps now, you can ensure a smooth transition to number matching MFA and strengthen your organisation’s security.