Microsoft have announced the commercial release/general availability of system-preferred multifactor authentication (MFA).
System-preferred multifactor authentication (MFA) prompts users to sign in by using the most secure method they registered. For example, if a user registered both SMS and Microsoft Authenticator push notifications as methods for MFA, system-preferred MFA prompts the user to sign in by using the more secure push notification method. The user can still choose to sign in by using another method, but they’re first prompted to try the most secure method they registered.
A new number-matching feature will be become the default for all organizations using Microsoft Authenticator prompting users to confirm a number before approval to sign in.
This feature is a safeguard against accidental/blind approvals by users, as well as MFA fatigue attacks. This is a known tactic by attackers after they’ve obtained a user’s password. The attackers are still blocked by the secondary authentication method, so they just send second-factor authentication approval requests repeatedly to the victim until one of them gets used. The number-matching security feature somewhat defeats MFA fatigue attacks by making the end user explicitly enter a two-digit number to approve the access request.
Another safeguard offered on the Microsoft Authenticator app is the additional context feature. With this enabled, the app requesting the sign-in credentials as well as the location of the requester is identified.
For further information on this feature please click here.