Microsoft Now Requires Number Matching To Combat MFA Fatigue Attacks

Starting on Monday, Microsoft will start enforcing number matching for Microsoft Authenticator MFA alerts to mitigate MFA fatigue attack attempts.

“Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications,” Microsoft says.

To further defend against MFA fatigue attacks, it is suggested users also limit the number of MFA authentication requests per user or domain and if those limits are exceeded lock the accounts or alert the security team.

MFA fatigue has been seen to be very successful by various threat actors who used this attack method on high-profile organizations, such as Microsoft, Cisco, and Uber.

Matt Mullins, Senior Security Researcher, Cybrary had this comment:

   “MFA fatigue being an attack that harasses the user allows for weaker implementations to be bypassed with enough time. The changes MSFT is offering in this instance will provide better security, ideally, but as with all things, there could be issues in implementation and reality.

   “Number matching looks to be a great improvement. With the requirement of more action required by the user, the authentication process is more robust. With a more robust authentication, there is less “ease” of exploitation due to more steps being needed by the attacker to execute their attack process further. A great example of this is adding smart screen, an enable macros button, Mark-of-the-web, etc. that prevent an easy execution of a macro. One caveat to this improvement Microsoft is offering is that they are going to require more from user and who is to say they don’t get fatigue from this and disable it if possible? What about programmatic accounts that require MFA, will this process prevent those types of accounts form getting an MFA value from the CLI?

   “The number match looks great but there are some not-so-great options included as well. The lock out after a number of fails seems like a perfect example of idealized security that will inevitably be turned off if there are issues with timing, key entry, latency, etc. By locking out accounts’ MFA, users will ultimately have to engage IT. While this might seem like a great idea, what happens when helpdesk is costing more? Controls have to be “just enough” to stop attackers but not inhibit functionality.

   “While the push MFA improvements are great, ultimately utilizing something like a Yubikey is a superior option because of easy-to-use controls and robust security (such as FIDO2). Push, like OTP (or One-Time-Pad), are weaker controls and efforts to add security to them can tend to complicate user functionality which impacts production.

David Mitchell, Chief Technical Officer, HYAS follows up with this:

   “Microsoft has taken a key step in combating techniques that have been successful for Lapsus$ and other groups in compromising organizations by increasing the friction required for MFA. Over the last decade, MFA providers worked on improving the user experience compared to legacy pin+token methods — to the point it was almost too easy to authenticate. While this may irritate some end users in the short term, this change will dramatically reduce attacker abilities to utilize MFA fatigue to gain access to enterprise networks.”

Finally, Roy Akerman, Co-Founder & CEO, Rezonate had this to say:

   “MFA is an important control organizations should apply by default to all of their human identities as part of a defense in depth approach. However, as we’ve seen with the recent Uber breach, MFA fatigue, where attackers repeatedly prompt the user until the user simply allows the bypass, is all too common. Once past that initial defense,  the attackers have bypassed authentication and gained access, free to elevate privileges and move laterally across the enterprise. 

   “While advancing MFA with number matching may help, there are other ways to bypass MFA and organizations must look beyond the identity provider of initial access and implement least privilege access across the entire enterprise to identify any anomalous behavior across the complete modern identity journey from identity provider and MFA, to SaaS applications and multi-cloud infrastructure.”

(Speaking of the recent Uber breach that used “MFA Fatigue” to gain access to their network, Roy, at Rezonate, would like to offer you a demo that shows a complete replicate of the Uber breach that started with an MFA fatigue attack, if you would be interested)

MFA fatigue is a thing. And it’s too much to ask users to be more diligent in terms of what push notifications they respond to. This is going to help but it’s only a piece of the puzzle in terms of really putting a dent into MFA fatigue attacks. In short, the authentication process needs to be such that these attacks are simply not possible.

Leave a Reply