Microsoft Authenticator is an account verification app that helps sign into your Microsoft account from any device using two-step verification. The application has evolved ever since it was launched, adding new capabilities like the auto-generation of stronger passwords and autofill support for addresses and payment details.
As you might recall, back in August we reported on how attackers were using push-based MFA to spam users to bypass Microsoft’s multi-factor authentication. While there we some recommendations provided on how to avoid falling victim to such tricks, Microsoft is now adding an extra layer of security to further mitigate this issue through a couple of features that are now in general availability.
First up is Number matching in Microsoft Authenticator MFA experience which is in place to help users from making accidental approvals while simultaneously protecting them from MFA attacks by hackers. The feature once enabled by admins will call upon the users to enter the number displayed on the sign-in screen when approving an MFA request in Authenticator.
Building upon this premise, Microsoft will now provide users with additional context in Authenticator notifications on two counts. First, is the application being signed into, second up the users will get to know the sign-in location based on the IP address of the device they’re signing into.
What’s more, through the refreshed Admin UX and APIs admins will now have an easier time when it comes to the management of the Authenticator app features as they can now make use of the Configure tab in the Admin UX to enable/disable different features. Admins will additionally be able to exclude groups from features with the aim of providing a “smoother’ experience when it comes to feature rollouts. However, this will not apply to the number matching feature once it reaches general availability.
Microsoft further indicated that:
At the end of February 2023, we’ll enable number matching for all Authenticator users. We highly recommend that you leverage the rollout controls and deploy these exciting security upgrades to Microsoft Authenticator.
And finally, if you are using the Authenticator app on iOS the privacy and data integrity between Authenticator and web services will be improved significantly courtesy of App Transport Security (ATS). The feature is already enabled by default and will not impact your interaction with the app whatsoever. Furthermore, Android users can search for their accounts using Microsoft Authenticator. The same feature is set to roll out for iOS users soon.