At the end of 2021, Microsoft announced new functionalities within the Microsoft Authenticator MFA application. These are:
Many organisations and their employees may be used to approving MFA push notifications in the app as part of multifactor authentication when using the Authenticator application.
Until the end user taps ‘Approve’, the application or page you want to consult will not be accessible, however the tap to ‘Approve’, has some risks. Users can miss or accidentally tap ‘Approve’ and give way to malicious activity, because it is too simple for many users. After securing credentials, the malicious party can spam an end user with notifications in the Authenticator app. The risk that can arise is that an end user is unaware of the situation and click on ‘Approve’ to get rid of the many notifications.
Fortunately, Microsoft now offers a solution for this with ‘Number matching’. With number matching, you will see a number on the page or application where authentication is made after the user logs in. You have to enter this number in the prompt that shows the Authenticator application.
Retyping the number may be a little less user-friendly, but it greatly reduces the chance of a security weakness.
To improve the legitimacy of an MFA notification in the Authenticator application, you can use ‘Additional context’ in Azure to give more context to these notifications. As a result, you as an end user get more recognition about the origin of the notification and you can better assess whether the notification is legitimate. The extra context is given by adding two parts in the notification;
- Location from which authentication is made.
When an end user, or a malicious person, tries to log in, you will receive a notification in the Authenticator app that shows where geographically attempts are being made to authenticate. A side note is that this location is IP based. On the one hand, this does not give such an accurate picture of the actual location and there are also means conceivable for a malicious person to simulate a different location (IP based) than the actual location. On the other hand, a notification that indicates the origin of another country gives a clear and direct signal that something may not be right.
- The application on which you log in.
In the same Authenticator notification you can also show which application you are trying to log in to. This also gives an end user an indication of whether the Authenticator notification is legitimate. If you do not use the application shown in the Authenticator at that time, this may indicate a possibly non-legitimate notification.
You can easily highlight and test these two functionalities across your organisation, but we should note that these two new functionalities are only part of creating a totally safe environment. These methods must go hand in hand with awareness and education towards the end users.
Author: Tim Struik
Date of Publish: 19 July 2022