"Microsoft Authenticator Mandates Number Matching to Counter MFA Fatigue Attacks"

In order to make multi-factor authentication (MFA) less susceptible to social engineering attacks, Microsoft Authenticator will now require number matching for all push notifications. The use of MFA fatigue attacks by cybercriminals has proven effective. These attacks involve sending a barrage of MFA push notification requests to employees, usually at unsociable hours, to manipulate them into authenticating a login attempt to clear the notifications. To authorize the login attempt, number matching requires opening a push notification, launching Microsoft Authenticator, and entering a series of numbers that appear in the app. This technique has existed for years and combines MFA and two-factor authentication (2FA). These numbers typically reset after a predetermined amount of time, such as 30 seconds, and add an extra layer of interaction to reduce the risk of successful social engineering attacks. In a typical attack scenario, the recipients of the constant notifications are often asleep and awakened by loud smartphone alerts. The attack is successful if the individual hurries to approve the login attempts. Adding this layer makes the process more manual, giving the recipient more time to recognize that a malicious actor is triggering the event. This article continues to discuss the Microsoft Authenticator adding another layer of complexity to prevent social engineering attacks. 

ITPro reports "Microsoft Authenticator Mandates Number Matching to Counter MFA Fatigue Attacks"