Microsoft announced a new feature for their Authenticator app to make two-factor authentication more secure, enforcing a number-matching step for those using the Authenticator push notifications when signing into services.
According to Microsoft, this feature will help prevent phishing attacks that try to trick users into approving a sign-in request from a malicious website or app. When a user responds to an MFA push notification using Authenticator, they’ll be presented with a number. They need to type that number into the app to complete the approval.
This new feature comes on the heels of an overwhelming rise in the number of cyberattacks using MFA fatigue, also known as MFA push spamming and push bombing. Attackers are finding ways around MFA protections, such as through phishing, and, in this case, MFA fatigue, a social engineering effort in which attackers use stolen credentials to try to sign into a protected account quickly and repeatedly, overwhelming potential victims with push notifications asking for login approval.
In October 2022, Microsoft introduced number matching as an option, as well as other security features like location and application context, in Microsoft Authenticator. As of May 8th, number matching is automatically enabled for all push notifications in Authenticator.