Microsoft has taken a major step towards enhancing security in its proprietary authentication application, Microsoft Authenticator. The company has implemented a new feature to counter attacks on multi-user authentication, also known as MFA.
These attacks, commonly referred to as Push Bombing or MFA Push Spam, involve attackers sending multiple smartphone notifications to potential victims, asking them to verify attempts to log into their accounts using stolen data. The notifications can be extremely overwhelming, leading to victims approving malicious requests in some cases.
This type of social engineering has been used successfully by cybercriminals Lapsus$ and Yanluowang, who have infiltrated well-known organizations such as Microsoft, Cisco, and Uber with it. Microsoft has now decided to combat this scam and has begun using the number-matching feature for MFA notifications in the Microsoft Authenticator app.
Number matching is a key security enhancement to traditional two-factor notifications in Microsoft Authenticator. The feature requires users to enter a code displayed on their device screen to confirm their identity instead of simply clicking on a notification to approve a login request. This ensures that the user is the only one who can confirm the login attempt, preventing unauthorized access.
“We will reset all administrative settings and default number matching for all Microsoft Authenticator users from May 8, 2023,” Microsoft announced. By implementing this feature, Microsoft aims to reduce the chances of successful attacks on MFA, enhancing user security and protecting users from potential data breaches.
Google has been using a similar approach to matching numbers for several years, offering users a choice of three numbers on their main device that matches the one displayed on the screen of the new device. Microsoft’s solution, although less convenient as it requires manual input, completely solves the problem of Push Bombing attacks. After all, neither accidentally nor intentionally, the victim of such an attack will no longer be able to give the attacker the desired access.
Microsoft’s move to enhance security by implementing the number matching feature for MFA notifications is a significant step towards safeguarding users’ data and thwarting cyber-attacks. It’s essential that all organizations prioritize security and regularly upgrade their authentication methods to protect their users’ sensitive information from cybercriminals.