Last week on October 25, 2022, Microsoft announced the General Availability of the new Microsoft Authenticator security features to make your organization even more secure.

But what has really changed in Microsoft Authenticator and how can this be configured? In the next sections you will learn more.

Introduction

Attacks on MFA/2FA (Multi-factor Authentication/2-factor Authentication) have increased in recent months. More often than not, attackers have also managed to bypass an MFA. Not infrequently, this was only possible through MFA fatigue attacks.

But what exactly are MFA fatigue attacks?

The first step to make your identities secure is to activate a second factor. The user login then requires the additional factor (e.g. SMS, one-time code, etc.) in addition to the username and password. To make this function as easy as possible for the user, various manufacturers have developed corresponding smartphone apps. Microsoft, for example, has developed the Microsoft Authenticator (available in the Google Play Store and Apple App Store).

With these smartphone apps, it is possible to confirm the second factor with a click on Approve (or cancel with a click on Decline) and not have to enter a code but, if necessary, the fingerprint or face unlock for security on your phone. By setting the security to zero trust (as recommended), the user has to enter/confirm his second factor several times on different applications, which leads to the fact that he no longer checks exactly whether he really triggered the request on the smartphone app or not - and simply confirms the request. This is referred to as accidental approvals, since the user simply confirms the second factor without checking and thus enables an attacker to access his data or the company data.

New features available for administrators

To counter MFA fatigue attacks and further protect identities, Microsoft made new security features General Available on October 25, 2022:

• Admins can now prevent accidental approvals in Microsoft Authenticator with number matching, location context, and application context.

• Admins can now better manage the Microsoft Authenticator app with new Admin UX and Admin APIs.

Number matching in Microsoft Authenticator MFA experience

To prevent accidental approvals and defend against MFA attacks, admins can require users to enter the number displayed on the sign-in screen when approving an MFA request in Authenticator. 

Additional context in Microsoft Authenticator approval requests

Another way to reduce accidental approvals is to show users additional context in Authenticator notifications. Admins can selectively choose to enable the following options:

• Application context: Show users which application they’re signing into.

• Location context: Show users their sign-in location based on the IP address of the device they’re signing into. 

Configuration guide

In this section, I'll explain how you can configure the various new features on your tenant and why certain options make perfect sense.

The configuration takes place in the Azure Active Directory Portal (https://aad.portal.azure.com).

​In the Azure Active Directory Portal, click on Security (under Manage)...
... then click on Authentication methods...
... and open Microsoft Authenticator
In Microsoft Authenticator settings, enable the main feature for all users (recommended) or for a specific user group.

Under Configure, the individual features described in this blog post can be configured. These are explained individually below.

With Number matching enabled, when a user logs in to a Microsoft 365 Cloud Service, they will be presented with a number to enter when confirming with Microsoft Authenticator. * This feature will be activated by Microsoft in February 2023 by default for all active cloud services.
Show application name is used to display the corresponding application/service to the user when logging in to a Microsoft 365 Cloud Service in Microsoft Authenticator. This allows the user to verify that the second factor is being used to approve the correct application.
Geographic location helps the user to identify the login so that it is really from their location. This is displayed on the Microsoft Authenticator as in the previous section.
​After saving, the settings become active within a few minutes.	​

If you set the feature status to "Microsoft-managed", it will be enabled by Microsoft at an appropriate time after the preview. We recommend to enable or disable and not using Microsoft-managed status.

More detailed information about the activation of number matching can be found here. More detailed information about the activation of additional context can be found here.

Recommendation by doudisblog

At the end of February 2023, Microsoft will enable number matching for all Authenticator users by default.

We recommend to activate all features after a short test phase considering user adoption (user information, pilot, handouts) by January 2023 at the latest.

If you have any questions, problems or need support, please contact us. We will be happy to help you implement the new security features.

Have you already tested the new features or even introduced them?

What are your experiences?