MFA Fatigue and Number Matching
MFA fatigue attacks or MFA spamming are attack tactics where threat actors send a constant stream of multi-factor authentication requests to annoy a target in the hope that they will finally approve one in order to stop them from being generated.
In a recent blog, Microsoft shared data that showed about 1% of users will accept a simple approval request on the first try. In order to provide further protection, Microsoft have enhanced MFA options to include number matching.
Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator that will begin to be enabled by default for all users starting February 27, 2023.
Users receive an approval prompt after a password is successfully entered. This approval does not include context to prove what you are allowing.
When a user responds to an MFA push notification using the Authenticator app, they'll be presented with a number. They need to type that number into the app to complete the approval.
Number matching will be enabled for all users of Microsoft Authenticator app after February 27, 2023. Relevant services will begin deploying these changes after February 27, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't.
As this feature is now generally available, Wanstor recommends that this is implemented as soon as possible to help further protect your IT estate ahead of the deadline where Microsoft will enforce this change.