Microsoft Authenticator push notifications get number matching

Microsoft has enabled number matching for Microsoft Authenticator push notifications to improve user sign-in security.

Authenticator MFA number matching in action (Source: Microsoft)

“If the user has a different default authentication method, there’s no change to their default sign-in. If the default method is Authenticator, they get number matching,” Microsoft clarified, and noted that users can’t opt out of this feature.

MFA number matching

Number matching provides an additional layer of security by displaying a number in the push notification.

This new feature is designed to combat MFA fatigue attacks – a type of social engineering cyberattack where cybercriminals bombard the victim’s phone with many requests for authentication and hope that the victim will approve the request either by mistake or because they are tired of receiving these requests.

“When a user responds to an MFA push notification using Authenticator, they’ll be presented with a number. They need to type that number into the app to complete the approval,” the company explained.

Number matching is available for:

• Multifactor authentication
• Self-service password reset
• Combined SSPR and MFA registration during Authenticator app set up
• AD FS adapter
• NPS extension

Wearable devices are not supported

MFA number matching does not support push notifications for Apple Watch or Android wearables. Users of wearable devices need to use their phone to approve notifications when number matching is enabled.

“In the Authenticator release in January 2023 for iOS, there is no companion app for watchOS due to it being incompatible with Authenticator security features. You can’t install or use Authenticator on Apple Watch,” Microsoft added.

“We therefore recommend that you delete Authenticator from your Apple Watch, and sign in with Authenticator on another device.”

To successfully sign-in, users need to update to the most recent version of Authenticator.