Microsoft has recently announced a change to all users and organizations using Microsoft Authenticator as authentication method commencing from 27th of February 2023.
What does this mean to you or your organization?
After 27th of February 2023, Microsoft will look to enforce number matching, a security feature which improves the overall account protection by adding an additional step of how you verify yourself and who you are when challenged via Microsoft Authenticator.
The main purpose of this enforcement is to eliminate accidental approvals where users would authenticate with their biometric (finger print or face) via Microsoft Authenticator and proceed to press "Approve" without confirming if they are the ones who are signing in and not a threat actor with their credentials. The only difference with number matching challenge comparing to current MFA is that you will need to complete an additional step before pressing "Approve" button, and as you already guessed, it involves matching the numbers on the screen to the ones displayed on your phone or entering the displayed numbers.
This security feature, prevents threat actors from gaining access to your account even after you accidentally approve the authentication request, as you will be challenged to prove that you can see the digits displayed on the login screen and match them to the ones on your Microsoft Authenticator app. This process shouldn't be taking any longer time than necessary, but it has shown to be more effective than current MFA and deters attackers from trying to gain access again.
(Photo: Courtesy of Microsoft)
Number matching can be challenging you in two different ways, depending on what version of Microsoft Authenticator app you use:
1. Displays a number on login screen and asks you to enter it via Microsoft Authenticator app (The most up to date version).
2. Displays a number on login screen and presents you three sets of numbers via Microsoft Authenticator app, you have to match one out of three to the one displayed on the screen. (Older version of the app).
Both of the above challenges provide same level of security, but as a recommendation we would ask you to always have the most up to date version of Microsoft Authenticator app.
Here's a video for you of how this change will look visually: Number Matching
Some of the questions you may have:
Q: Will this change happen all at once for everyone?
A: Microsoft usually roll out these types of updates gradually and randomly, this means that your co-worker next to you may receive it the same day, whilst you may receive it in few days.
Q: Does this means that I will now need to do this every time?
A: Yes, as this will become a new security standard which Microsoft wants to enforce, this will not affect the frequency at which you will be challenged, only the type of challenge you receive.
Q: Do I need to any changes to my app ?
A: No changes will be required, the only difference maybe in the version of the app you use as mentioned above.