PARIS, Oct. 28 (Benin News / EP) –
The app Microsoft Authenticator Improved Multi-Factor Authentication (MFA) security with the implementation of new features such as “number matching” and additional pop-up requests, designed to prevent phishing attacks and accidental approvals..
Multi-factor authentication systems, while adding an extra level of security to logins, are not without their problems. And their increasing adoption is followed by the rise of what is known as the The “AMF Fatigue Attacks”.
“These attacks are based on the ability of the user to approve a simple voice, SMS or push notification that does not require the user to have the context of the session that he is authenticating”, explained in September the security director of the identities of Microsoft, Alex Weinert, on the occasion of a report on this threat.
When they talk about simple approvals, they refer to the fact that the user receives an automatic notification asking them to click or enter a PIN to approve the connection, rather than typing a code displayed on the screen.
MFA Fatigue Attack take advantage of users’ lack of attention on simple approvals. They are able to bypass multi-factor authentication through repeated login attempts with previously stolen credentials, resulting in constant permission requests being sent to the victim’s cell phone.
This influx of notifications may cause the user to accept one of them by mistake or without thinking, thereby giving cybercriminals access to their account.
To prevent such attacks, Microsoft implemented “number matching” in Microsoft Authenticator, a feature that prevents accidental approval by all users. by prompting the user to enter a two-digit code from the app’s login screen, according to the company’s Tech Community blog.
“If the user has not logged in, they will not know the two-digit code, which will force the bad guy to share the two-digit code in a separate channel, which the user should not accept”, said the technology company.
This new feature is now available to administrators of an organization’s accounts. They can also access another new feature, additional contextwhich also helps to reduce accidental logins by displaying information about the application you are trying to access or the location of the login author.
Microsoft explains that “additional context” and “numeric match” can be combined in the same notification.