Microsoft Authenticator suppresses suspicious MFA notifications

Microsoft has quietly rolled out a new mechanism that shields users of its mobile Authenticator app from suspicious (and annoying) push notifications triggered by attackers.

Preventing attacks relying on MFA fatigue

When faced with MFA-protected accounts, threat actors repeatedly try to gain access with stolen login credentials and thus trigger a barrage of authentication requests delivered via authenticator apps. Their hope is that the victim will accept one either by mistake or to stop the annoying notifications.

In early May, Microsoft added the number matching feature for Microsoft Authenticator push notifications to boost account security and stymie attackers relying on multi-factor authentication (MFA) fatigue.

The feature prompts users to input the number displayed in the push notification to finalize the login process, so they can’t easily click through the request without thinking.

Alex Weinert, VP director of identity security at Microsoft, says that the feature has been very effective at thwarting criminals, but that users were still annoyed by the prompts.

“In response to this, we took additional steps to keep users happy and secure by suppressing Authenticator pop-up notifications when a request is anomalous,” he explained.

Microsoft Authenticator identifies and holds back suspicious notifications

Added in late September, this new mechanism prevents prompts for anomalous and potentially suspicious Authenticator notifications – e.g., notifications triggered by requests originating from an unfamiliar location – from being displayed on the user’s phone screen.

Microsoft Authenticator suspicious notifications

No push notification if the login attempt is anomalous. (Source: Microsoft)

“It’s important to note that the notifications are not deleted. They’re simply suppressed and can still be accessed by the user within the Authenticator App. If a user encounters a genuine request from an unusual source, they can retrieve the notification by accessing their authenticator app,” Weinert pointed out.

Non-suspicious Authenticator notifications will continue to generate prompts that will pop up on the mobile device’s home screen.

Don't miss