Microsoft Authenticator: It is all about the numbers
Microsoft Authentication is having a slight update from 27 February. Microsoft will be implementing a number matching system. This will change how you use this security feature and it will impact those using the Apple Watch.
What is the number matching system?
When you login to your system using Multi-Factor Authentication via the Microsoft Authenticator app, you are asked to enter a 6-digit number that the authenticator application provides, or you are sent an SMS message with a code to then approve the login. The number matching system simply works in the other direction. So when you login you will be provided a number on your PC that you then enter into the Authenticator application, approving the login.
Why the change?
The main problem with the current system is to do with the sending of a message to approve the login. The bad guys could bombard the target with multiple notifications in the hope that you will accidently approve the MFA notification. Known as an MFA fatigue attack!
Number matching requires the user to enter a number into the app to approve the login, and as you won’t know the number required until you’re signing in, you can’t approve the login. Number matching is still susceptible to social-engineering, where the user is tricked into entering the number because they believe that they are communicating with someone from their IT team. Just to note we would never ask to login into your account on our device, so if someone does contact you asking you to enter a number into the Authenticator app tell them to take a hike, and contact us.
Is this going to make it harder?
Unfortunately, the simple truth is… Yes!
In the continual drive to beat the criminals and hackers of the world, security keeps getting more and more complex and for the lowly user it just makes our login process that bit harder.
Plus…. if you are using a wearable device such as the Apple Watch to approve the login, I have sad news for you. ? It will no longer work. This is purely because the screen size won’t be large enough to enter the numbers into the application. Therefore, if you have Microsoft Authenticator on your Watch, delete it now, and set it up on a mobile device.
A new hope
Microsoft, Google AND Apple have all agreed to make passwords a thing of the past. They are now collaborating on making the FIDO (Fast Identity Online) standard work for the mainstream.
FIDO works by turning a local device such as your phone into the means to login into an account, because unlike passwords, which criminals can enter from a distance, your device is unlikely to end up in their hands.
But there is still lots of work to be done, so stay tuned.