With adversaries using a variety of tactics to bypass MFA systems in a recent spate of attacks, Microsoft is pushing out a new set of features for its Authenticator service for Windows and other services that provides more context for MFA requests and adds number matching as a way to prevent MFA spamming attacks from working.
The past few months have seen a number of high-profile intrusions at companies such as Uber that involved an attacker repeatedly sending MFA push notifications to a victim’s device after using stolen credentials to log into the victim’s account. The goal is to send enough notifications that the victim eventually tires of them and just approves the login. Known as an MFA fatigue attack, this tactic isn’t new, but it has become more prevalent as more and more organizations have deployed MFA to defend corporate accounts and assets. The tactic is often an add-on to other social engineering techniques, such as phone calls or text messages from the attacker purporting to be from an IT help desk or support analyst.
Educating users about how MFA fatigue attacks occur and how to recognize them is an important defense, but adding more defensive hurdles for attackers to navigate is also vital. Last year, Microsoft announced that it was piloting a couple of new features in Authenticator, specifically number matching and extra context on where the login request is coming from. With number matching enabled, when a user receives an MFA request, the request includes a two-digit number, which also is shown on the app that the user is attempting to sign in to.
“If the user didn’t initiate the sign-in, they won’t know the two-digit code, thereby requiring the bad actor to share the two-digit code in a separate channel, which the user shouldn’t accept,” Alex Weinert of Microsoft said in a post explaining the feature in September.
In addition, Microsoft is including more context in the MFA pushes, such as the location from which the request originated and what app is requesting the login. The goal is to give users more information about the request so that they can make proper decisions to approve or deny it.
“The context helps the user understand the origin of the sign-in and thereby reduces the chances of accidental approval,” Weinert said.
Both of these features are now generally available for organizations that use Authenticator.