AAD MFA – Number Matching

What is it?

Number matching with MFA is a feature in Azure AD which is currently in public preview that provides enhanced MFA push notifications with an aim of ensuring focused validation of an MFA challenge. Since MFA has become a familiar process for users, there can be instances where complacency may lead to unintended MFA approval. Should this happen to an administrative user, the consequences could be even more severe.

Rather than just requiring the standard push notification to approve a user sign in request within the Authenticator app, the feature will additionally require that the number presented in the resource being accessed is confirmed by entering the number within the app to approve the challenge.

For a user that signs in to portals and applications that require MFA approval very frequently, it’s easy to blindly approve push notifications, or become lazy in ensuring the request is genuine. There has been a noticeable increase in the number of ‘MFA Fatigue attacks’ within the security community, particularly with M365 services since they are so popular and broadly used. MFA fatigue is a term used to describe an overload of MFA prompts which could lead to the user becoming careless and unintentionally approving an MFA challenge that has not been genuinely initiated by themselves. The idea being that the attacker will spam MFA approval hoping that the user will think that they have somehow initiated the MFA challenge, that it is required to continue with what they are doing, or that there is some kind of a bug and therefore they approve the challenge.

How to configure

To configure MFA number matching in AAD, it’s a fairly straightforward process –

1. Navigate to ‘Authentication methods’ in Azure AD under the ‘Security’ section

2. Select ‘Microsoft Authenticator’ to open the additional settings

3. Toggle ‘Enable’, to ‘Yes’ and use the ellipsis to the right of the ‘Registration’ field to open further settings in ‘configure’

4. Specify the following –
   • Authentication mode – Push
   • Require number matching (preview) – Enabled
   • Show additional context in notifications (preview) – Enabled (optional)

5. Select ‘Done’, ensure the ‘Target’ scopes the required users and ‘Save’ to complete

Testing

1. Sign in to an application/service/portal that is within scope of requiring MFA

3. In the Authenticator app, some additional detail is shown –

• The username
• The application (source of the authentication request)
• The approximate location with a map view
• Field to confirm the number presented on screen and subsequently approve or deny the challenge

4. Enter the number and select ‘Yes’ to approve, or if this indeed is not a genuine challenge, confirm with ‘No, it’s not me’

In the next post I’ll be detailing another feature currently in preview; Temporary Access Passes in Azure AD.