Admins can now prevent accidental approvals in Microsoft Authenticator with number matching, location context, and application context.
Admins can now better manage the Microsoft Authenticator app with new Admin UX and Admin APIs.
For more details about these exciting features, please read below:
Last month, we talked about the increase in MFA fatigue attacks and recommended best practices organizations should adopt to increase their security. To protect you, we’ll automatically enable critical security features to tackle ever-changing threat vectors. At the end of February 2023, we’ll enable number matching for all Authenticator users. We highly recommend that you leverage the rollout controls and deploy these exciting security upgrades to Microsoft Authenticator.
Number matching in Microsoft Authenticator MFA experience
To prevent accidental approvals and defend against MFA attacks, admins can require users to enter the number displayed on the sign-in screen when approving an MFA request in Authenticator.
Figure 1 - Number Matching
To learn how to enable number matching for your users, click here.
Additional context in Microsoft Authenticator approval requests
Another way to reduce accidental approvals is to show users additional context in Authenticator notifications. Admins can now selectively choose to enable the following:
Application context: Show users which application they’re signing into.
Location context: Show users their sign-in location based on the IP address of the device they’re signing into.
Figure 2 - Additional Context with number match in notifications
To learn how to enable additional context for your users, click here.
Refreshed Admin UX and APIs
Admins can now better manage their Microsoft Authenticator app features with our refreshed Admin UX and APIs. Use the new “Configure” tab in the Admin UX to enable/disable different features. It now also includes the highly requested capability to exclude groups from features to assist with smoother feature rollouts.
Note: These rollout controls will be removed for number matching once it has been enabled for all at the end of February 2023.
Figure 3 – Refreshed Admin UX
If you haven’t already, you can use Registration Campaigns to seamlessly deploy the Authenticator app within your organization with these security upgrades to better protect your organization.
Ongoing enhancements for security and usability
The Authenticator app is constantly innovating to include enhanced security and experience features. Authenticator on iOS now uses App Transport Security (ATS). This security feature improves the privacy and data integrity between Authenticator and web services. This improvement is now enabled for all and does not impact how you use your app. In addition, users on Android can now search their accounts, with search on iOS rolling out soon.
As always, we want to hear from you! Feel free to leave comments down below or reach out to us on aka.ms/AzureADFeedback.