Why is Microsoft Authenticator Changing?

Multi-factor Authentication (or ‘MFA’) has now become a fundamental part of the cybersecurity toolset used by organisations to keep their user accounts secure. As such, many of us are now well accustomed to MFA.
Published on 8th February 2023

Share this Blog post

The familiar approval of a push notification on a mobile device or the entering of a 6-digit code, in combination with signing into a service with your password — most commonly using the Microsoft Authenticator app — has become routine for almost all digital professionals.

However, as with any technology, multi-factor authentication is continuously developing and improving as cybersecurity experts find more secure ways to use it. In this post, we explain how Microsoft is changing the way notifications work with their Microsoft Authenticator App to do just that.

This change will be set automatically by Microsoft on February 27th 2023.

What is Microsoft Authenticator & how does it work?

Microsoft Authenticator is an app that helps you securely sign in to your accounts using two-step verification. It’s a simple but effective process:

  • When signing into a service such as Microsoft 365 with your MFA-enabled account, you’ll sign in with your password (First-factor authentication).
  •  After this, Microsoft will send you a push notification to your mobile device to approve, decline, or prompt you to enter the 6-digit code that refreshes every 30 seconds (Second-factor authentication).

The two authentications together form what’s known as multi-factor authentication.

MFA is still considered high security as it protects unauthorised people from using your password to access your account without your mobile device.

Multi-factor authentication and cybersecurity

Implementing MFA makes it far more difficult for malicious individuals to gain access to your information, even if your passwords are compromised through phishing attacks or other means. However, that doesn’t mean that passwords are any less important.

You can learn more about the different types of cyber threats and the best practices to combat them in another of our blogs.

Log in screen with password securely hidden

How is Microsoft Authenticator changing?

Microsoft is now introducing number matching to replace the approve or decline push notifications.

Number matching is a critical security improvement to reduce the risk of an account getting breached due to MFA fatigue, otherwise known as MFA spamming.

Whilst a push notification to your phone or Apple watch is convenient and more effortless than opening an app to type a 6-digit code if an account is breached, the end user could be subject to receiving multiple requests to approve a sign-in.

If this occurs, it’s unlikely that the end user will be able to determine which one is their own request to sign in over the attacker trying to gain access. As a result, they may subsequently grant the attacker access to the system without realising it.

It is essential to deliver cybersecurity training to your staff so they are aware of these types of scams and can avoid falling victim to them.

How does number matching work?

After signing in with your password, a 2-digit number will be displayed on the screen, and a push notification will be sent to your mobile device. The push notification will ask you to enter that number.

screenshot to show microsoft authenticator window when user is logging onto a machine

Every time you attempt to log in, the number displayed will be different. This prevents you from approving an unauthorised login attempt on your mobile device, as you would not be able to see the code on the screen.

What are the limitations of number matching?

As is common with higher security, some features are removed as they cannot meet the requirements of the improvements.

Support for Apple Watch is removed with a number matching the updated Microsoft Authenticator App. If you have set up an authenticator for an Apple watch only, we recommend setting up Microsoft Authenticator on another device.

Utilising number matching with other services, such as RDS or VPN, will require further configuring your MFA extensions on these systems and will not be enabled by default on the 27th of February.

How can our cybersecurity services help?

Contact our IT consultants today if you have questions about Multi-factor Authentication or know more about how ITRM’s consultancy services can help secure your business.

Or, for more strategic cybersecurity insights, keep up to date with our expertly-written blog.

Share this Blog post

Related Articles

Decoding Online Social Engineering: Revealing Tactics and Strengthening Defences

Decoding Online Social Engineering: Revealing Tactics and Strengthening Defences

If you are a decision-maker within a business, you must be aware of the risks that social engineering can pose to your organisation...

22nd April 2024
Hiring Safely: The Imperative Role of Cyber Security in Recruitment

Hiring Safely: The Imperative Role of Cyber Security in Recruitment

Cyber security plays a crucial role in the recruitment sector for various reasons, explore some of these reasons with ITRM’s expert team below…

18th April 2024
Visit our blog for more articles like these

Your privacy

By clicking “Accept all cookies”, you agree ITRM can store cookies on your device and disclose information in accordance with our Cookie Policy.

Cookie Settings

When you visit any of our websites, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and manage your preferences. Please note, blocking some types of cookies may impact your experience of the site and the services we are able to offer.