Microsoft introducing MFA number matching

Recognizing the recent vulnerabilities of existing mobile push multifactor authentication schemes, Microsoft is rolling out "number matching" by default when logging into MS365 services.

It's important to note this is just a mitigation measure on Microsoft's part, in order to minimize the risk of MFA attacks based on "fatigue" or "prompt bombing", which have become increasingly common: a threat actor bombards a user with mobile application push notifications until the user either approves the request by accident or out of annoyance with the nonstop notifications.

Number matching is designed to mitigate this risk by introducing an additional step: besides simply clicking on "Yes, that's me" and confirming the identity, the users are now presented with a number they need to type into the mobile app to complete the authentication.

Of course, this still does not address proxy-in-the-middle MFA attacks, now a mature and unfortunately popular malicious technique.

As recommended by CISA, number matching is only a workaround, while true phishing-resistant MFA is what organizations should be aiming at. This means either certificate based auth (CBA) or the more user friendly FIDO2 tokens/passkeys, currently becoming a strong authentication standard on all platforms.