The Microsoft Authenticator app is traditionally used with push notifications which will require you to approve a prompt within the app on your phone after you sign-in with your passwords (first factor authentication). Although this method is still seen as high security, it can be improved with number matching, or at least it will further reduce the risk of a successful phishing attempt.
In the post I am going to walk you through how to to enable the Microsoft Authenticator app number matching from within the Azure portal.
How To Video
Will number matching be enabled automatically for Microsoft Authenticator?
Yes. After May the 8th 2023, number matching for the Microsoft Authenticator app will be automatically enabled and enforced for all tenants. This means that unless rolled out by your IT team before that date, users will automatically be asked for the number on their app during their interactive login prompt without prior notification.
What is Number Matching in the Microsoft Authenticator app?
Number matching is an important security improvement to the Microsoft Authenticator app which helps reduce phishing attacks. During your interactive login prompt a 2-digit number is presented on the screen, then when you receive your usual approval notification on your Microsoft authenticator app, you will be asked to enter that number.
How does number matching work?
Security is improved in the Microsoft Authenticator app with number matching as it reduces the likely hood of bypassing MFA through phishing attempts. Where previously, without number matching, a user may be at risk of MFA fatigue, which is when they are worn down by consistent MFA requests until one is accidentally allowed through by the user.
Number matching would require additional communication between the attacker and the user within a very slip time frame. This makes the likely hood of a phishing attack very low.
How to enable number matching in the Microsoft Authenticator app
2. Under the heading method, select Microsoft Authenticator.
3. Set the slider to ‘enabled‘. Only users who are included on the Enable and Target tab can be enabled for number matching. By default, it is set to All users.
4. Select the Configure tab.
5. Under Require number matching for push notifications, set the status to enabled.
6. Now decide if you want to target all users or a specific set of users. I suggest you roll this out first to users who are pivotal to change in your organisation to help others easily adopt the change. Once number matching has been communicated to all staff, it can be enabled for all staff.
The user experience when you enable number matching
As soon as Number matching is enabled for a user, on their next login prompt they will be asked for the number pair when they log in.
Below is an example of what the user will see on their workstation screen and on their mobile application at the time that require to take action.
To improve the user’s experience you should consider using conditional access policies to decide when, where and how often user will be asked to log in with Multi-Factor authentication. Use my tutorial here on How to create a Conditional Access policy in Azure Active Directory.