Microsoft announced for May 2023, the default notification method for Microsoft Authenticator App will change from a push Approve/Decline model to a number matching model. Designed to reduce bad actor MFA fatigue attacks on end users, the number matching system cannot be abused like its predecessor. On Monday, May 1st, 2023, Marshall University Information Technology will push this update to our users.
WHAT SHOULD I EXPECT?
The new MFA prompt will look as such. When attempting logon to a MFA protected resource, the user will be presented with a number on the screen (Figure I), the MFA notification is where the user will enter the number (Figure II). Please note it displays the username, which application is being used, and general location. With this information a user should easily be able to tell if the MFA prompt is legitimate or malicious. Keep in mind the location can vary greatly if using your cell phone to log into a MFA protected resource.
- If you are currently not using the Microsoft Authenticator App for MFA, this new method does not apply to you and your current MFA method will continue to work.
- According to Microsoft, with the addition of number matching, the Authenticator app will no longer work on an Apple Watch. Users who have used an Apple Watch with the Authenticator app in the past will need to authenticate on a different device.
- If you would like to start using the Microsoft Authenticator App for MFA, log in to https://aka.ms/mfasetup, click “+ Add sign-in method”, select “Authenticator app”, and follow on screen instructions. After setup is complete, in the “Security info” section on the https://aka.ms/mfasetup page, click “Change” and select “App base authentication – notification” for the default sign-in method.
Thank you for your continued collaboration in helping us continue to provide high-impact academic technology services at Marshall University.