We‘ve repeatedly emphasized the importance of multifactor authentication (MFA) and emphasized that not all MFA is equal – the Authenticator is much more secure than phone authentication (so hang up!). Through the implementation of number matching, we've successfully thwarted criminals engaging in MFA fatigue attacks.
While this has been very effective, attackers attempting these methods can still annoy users, and Authenticator prompts—while extremely helpful when a user is trying to log in—can provide a “hook” for social phishing when triggered by a hacker. In response to this, we took additional steps to keep users happy and secure by suppressing Authenticator pop-up notifications when a request is anomalous. The rollout of these changes was completed at the end of September, and we’ve successfully reduced the number of otherwise unworthy notifications. We've prevented more than 6 million passwordless and MFA notifications since the deployment began. By the vast majority, these were hacker-initiated notifications serving no value to customers.
About Suppressing Risky Authenticator Notifications
Following the deployment of this feature, we now suppress Authenticator notifications when a request displays potential risks, such as when it originates from an unfamiliar location or is exhibiting other anomalies. This approach significantly reduces user inconvenience by eliminating irrelevant authentication prompts.
When everything looks acceptable, users receive notifications on their mobile devices as depicted below:
But in the event of a login request that looks risky to us, the standard notification will not be sent to the user. Instead, they’ll be given the following instructions: “Open your Authenticator app and enter the number shown to sign in,” with no corresponding notification displayed on the user's phone.
When the user opens their Authenticator app, it will present the request, allowing the user to take appropriate action.
When the user opens the Authenticator App, the request will be available for the user:
Retrieving Authenticator Notifications
It’s important to note that the notifications are not deleted. They’re simply suppressed and can still be accessed by the user within the Authenticator App. If a user encounters a genuine request from an unusual source, they can retrieve the notification by accessing their authenticator app. The app serves as a repository for all authenticator notifications, ensuring users have a convenient way to retrieve any missed requests.
Conclusion
Implementation of this feature has led to a smoother and more secure experience for users. As technology evolves, enhancing user convenience while also enhancing security is crucial, and this new approach is a great example.
Best regards,
Alex Weinert
VP Director of Identity Security, Microsoft
Learn more about Microsoft Entra:
- Authentication strength – choose the right auth method for your scenario!
- See recent Microsoft Entra blogs
- Dive into Microsoft Entra technical documentation
- Join the conversation on the Microsoft Entra discussion space and Twitter
- Learn more about Microsoft Security