It is also the default experience for passwordless phone sign-ins using Microsoft Authenticator. Number matching has been in public preview for MFA since November 2021, and almost 10K enterprises are already using it daily. If the user didn’t initiate the sign-in, they won’t know the two-digit code, thereby requiring the bad actor to share the two-digit code in a separate channel, which the user shouldn’t accept. Number matching (with "type the code" experience) prevents accidental approval by requiring the user to type in a two-digit code from the login screen to their Authenticator app. Prevent good users from accidentally approving sign-ins We’ll be enabling them for all users very soon after general availability (GA is expected in the next few months), but, given the rise in MFA fatigue attacks, we encourage you to take advantage of them now. We announced the protections from these attacks way back in November 2021. In this blog, we’ll help you protect your users on Microsoft Authenticator from MFA fatigue attacks. Microsoft Authenticator is the most popular MFA method (whether after a password or in place of one) for enterprises to deploy and secure their users today. We track these attacks across our ecosystem, and it’s very clear they are on the rise – with push notifications, voice approvals and SMS as the top culprits. That’s why it’s critical to ensure that users must enter information from the login screen and that they have more context and protection. Our studies show that about 1% of users will accept a simple approval request on the first try. Anytime users are doing “click to approve” or “enter your PIN to approve” instead of entering a code they see on-screen, they are doing simple approvals.
These attacks rely on the user’s ability to approve a simple voice, SMS or push notification that doesn’t require the user to have context of the session they are authenticating. With increasing adoption of strong authentication, multi-factor authentication (MFA) fatigue attacks (aka, MFA spamming) have become more prevalent.
Protecting users from MFA fatigue attacks
0 kommentar(er)
