It's been repeatedly emphasized the importance of multifactor authentication (MFA) and emphasized that not all MFA is equal – the Authenticator is much more secure than phone authentication (so hang up!). Through the implementation of number matching, we've successfully thwarted criminals engaging in MFA fatigue attacks.
While this has been very effective, attackers attempting these methods can still annoy users, and Authenticator prompts—while extremely helpful when a user is trying to log in—can provide a “hook” for social phishing when triggered by a hacker. In response to this, we took additional steps to keep users happy and secure by suppressing Authenticator pop-up notifications when a request is anomalous. The rollout of these changes was completed at the end of September, and we’ve successfully reduced the number of otherwise unworthy notifications. We've prevented more than 6 million passwordless and MFA notifications since the deployment began. By the vast majority, these were hacker-initiated notifications serving no value to customers.