Emphasizing security by default with advanced Microsoft Authenticator features
Published Nov 06 2023 09:00 AM 27.9K Views
Microsoft

We‘ve repeatedly emphasized the importance of multifactor authentication (MFA) and emphasized that not all MFA is equal – the Authenticator is much more secure than phone authentication (so hang up!). Through the implementation of number matching, we've successfully thwarted criminals engaging in MFA fatigue attacks. 

 

While this has been very effective, attackers attempting these methods can still annoy users, and Authenticator prompts—while extremely helpful when a user is trying to log in—can provide a “hook” for social phishing when triggered by a hacker. In response to this, we took additional steps to keep users happy and secure by suppressing Authenticator pop-up notifications when a request is anomalous. The rollout of these changes was completed at the end of September, and we’ve successfully reduced the number of otherwise unworthy notifications. We've prevented more than 6 million passwordless and MFA notifications since the deployment began. By the vast majority, these were hacker-initiated notifications serving no value to customers. 

 

About Suppressing Risky Authenticator Notifications 

 

Following the deployment of this feature, we now suppress Authenticator notifications when a request displays potential risks, such as when it originates from an unfamiliar location or is exhibiting other anomalies. This approach significantly reduces user inconvenience by eliminating irrelevant authentication prompts. 

 

 When everything looks acceptable, users receive notifications on their mobile devices as depicted below: 

 

sdriggers_0-1698693177396.png

 

 

But in the event of a login request that looks risky to us, the standard notification will not be sent to the user. Instead, they’ll be given the following instructions: “Open your Authenticator app and enter the number shown to sign in,” with no corresponding notification displayed on the user's phone. 

 

When the user opens their Authenticator app, it will present the request, allowing the user to take appropriate action. 

 

sdriggers_1-1698693177404.png

 

 

 

When the user opens the Authenticator App, the request will be available for the user:     

    

sdriggers_2-1698693177407.png

 

 

Retrieving Authenticator Notifications 

 

It’s important to note that the notifications are not deleted. They’re simply suppressed and can still be accessed by the user within the Authenticator App. If a user encounters a genuine request from an unusual source, they can retrieve the notification by accessing their authenticator app. The app serves as a repository for all authenticator notifications, ensuring users have a convenient way to retrieve any missed requests. 

 

Conclusion 

 

Implementation of this feature has led to a smoother and more secure experience for users. As technology evolves, enhancing user convenience while also enhancing security is crucial, and this new approach is a great example. 

 

 

Best regards, 

Alex Weinert 

VP Director of Identity Security, Microsoft 

 

 

 

Learn more about Microsoft Entra: 

15 Comments
Co-Authors
Version history
Last update:
‎Apr 17 2024 11:58 AM
Updated by: