Multi-factor authentication (MFA) is critically important for securing accounts and limiting the risk of accounts being compromised. However one of the weaknesses of push based MFA, such as push notifications to the Microsoft Authenticator app, is if users get too many notifications they are likely to just select yes potentially letting malicious users into their account. Also the notifications currently don’t provide enough contextual information to know why they are getting the notification in the first place.
Microsoft MFA enhancement with number matching
Microsoft has now added the number matching feature to the push notifications to the Microsoft Authenticator app (currently in preview). This enhances the login experience by displaying the user a number as part of the login process, and that number needs to be entered that into the Microsoft Authenticator app to approve the sign-in request.
Complete details of the feature are available in the documentation page Use number matching in MFA.
Turning on the number matching feature
The feature can be implemented in just minutes following the enable number matching in the portal implementation instructions. Keep in mind its a preview feature currently, so the usual disclaimers apply and Microsoft have provided the ability to enable it only for subsets of users using groups.
Advanced configuration – providing the user extra context
I’d highly recommend looking at the advanced configuration options as there are settings you can enable to provide the user additional context on the notification prompt they get on their phone to determine if they triggered the login prompt or if it was a bad actor.
These additional settings are listed below, and using groups can be enabled only for a subset of users if desired.
- Show application name in push and passwordless notifications – This shows the application the user is attempting to login to (e.g. the Azure Portal).
- Show geographic location in push and passwordless notifications – this shows a map of the location where the user is attempting to login from.