Enable number matching for better security in Microsoft MFA
November 16, 2022
Those of us who manage IT security know that even MFA authentication methods can be hacked. As a result, the quest continues to find a more perfect solution for handling MFA authentication requests, and 2FA apps have become (in some instances) a preferred approach over traditional SMS codes. Microsoft has featured a tap-to-confirm functionality in the Microsoft Authenticator app for some time now, but one of the problems was that there was no way for a user to determine whether an MFA prompt was from their own login attempt or a malicious one. Thankfully, Microsoft has a new feature called number matching to address this issue. Microsoft plans to eventually switch this feature on as the default behavior for the Authenticator app, but you can manually turn this on yourself to take advantage of this feature today:
2. In the list on the left, click "Authentication Methods."
3. Click "Microsoft Authenticator."
4. Click the toggle under "Enable" to enable the feature. If you wish to apply this to all users in your environment, you can leave the Target section as is. Otherwise, click the Select Users toggle to select the users or groups to which you want to apply this policy.
5. Click "Configure."
6. Under "Require number matching for push notifications," click the drop-down and select "Enabled."
7. Optionally, you can also enable a map to show the user where the sign-in attempt occurred.
8. Click the Save button to save your changes. The new MFA features are now enabled. When a user now signs into Microsoft 365, they will be given a number which must be entered into the app.
The prompt they receive on the Microsoft Authenticator app will also display a map where the authentication attempt occurred and and a field to enter the confirmation number.
I have been testing this feature for some time, and it works great. I would highly recommend implementing this into your environment to enhance security and avoid the risk of a user accidentally approving a login attempt that they did not initiate.