Emphasizing Security by Default with Advanced Microsoft Authenticator Features.

We‘ve repeatedly emphasized the importance of multifactor authentication () and emphasized that not all is equal – the Authenticator is much more secure than phone authentication (so hang up!). Through the implementation of number matching, we've successfully thwarted criminals engaging in fatigue attacks.

While this has been very effective, attackers attempting these methods can still annoy users, and Authenticator prompts—while extremely helpful when a user is trying to log in—can provide a “hook” for social when triggered by a hacker. In response to this, we took additional steps to keep users happy and secure by suppressing Authenticator pop-up notifications when a request is anomalous. The rollout of these changes was completed at the end of September, and we've successfully reduced the number of otherwise unworthy notifications. We've prevented more than 6 million passwordless and MFA notifications since the deployment began. By the vast majority, these were hacker-initiated notifications serving no value to customers.

About Suppressing Risky Authenticator Notifications

Following the deployment of this feature, we now suppress Authenticator notifications when a request displays potential risks, such as when it originates from an unfamiliar location or is exhibiting other anomalies. This approach significantly reduces user inconvenience by eliminating irrelevant authentication prompts.

 When everything looks acceptable, users receive notifications on their mobile devices as depicted below:

sdriggers_0-1698693177396.png

But in the event of a login request that looks risky to us, the standard notification will not be sent to the user. Instead, they'll be given the following instructions: “Open your Authenticator app and enter the number shown to sign in,” with no corresponding notification displayed on the user's phone.

When the user opens their Authenticator app, it will present the request, allowing the user to take appropriate action.

sdriggers_1-1698693177404.png

When the user opens the Authenticator App, the request will be available for the user:     

sdriggers_2-1698693177407.png

Retrieving Authenticator Notifications

It's important to note that the notifications are not deleted. They're simply suppressed and can still be accessed by the user within the Authenticator App. If a user encounters a genuine request from an unusual source, they can retrieve the notification by accessing their authenticator app. The app serves as a repository for all authenticator notifications, ensuring users have a convenient way to retrieve any missed requests.

Conclusion

Implementation of this feature has led to a smoother and more secure experience for users. As technology evolves, enhancing user convenience while also enhancing security is crucial, and this new approach is a great example.

Best regards,

Alex Weinert

VP Director of Identity Security, Microsoft

Learn more about Microsoft Entra:

 

This article was originally published by Microsoft's Entra (Azure AD) Blog. You can find the original article here.