Multifactor Authentication (MFA) adds a layer of security protection by requiring users to provide information beyond a password when they try to log into their account. Microsoft utilizes and recommends number matching notifications for its MFA services, an upgrade from traditional two-factor notifications. Users are sent a unique number they need to type into the Microsoft Authenticator app before they access their account.

Other forms of MFA include text-message and email codes, but they are overall less secure. Text-message and email code notifications lack the uniqueness that number matching provides which puts the users accounts at risk. The unique number provides additional security by ensuring that hackers cannot gain access to a desired account through tactics such as MFA bombing and MFA fatigue attacks. Due to the increased security risk, Microsoft will soon enforce number matching notifications for all Microsoft Authenticator users.

What is Happening?  

Until now, the Microsoft Authenticator app would send a simple push notification and allowed for admin control and enforcement for what notification type was being used. Users could choose if they wanted to use number matching or a different type of MFA notification. Starting on May 8, 2023, Microsoft is removing the admin control and enforcing the number match experience for all Microsoft Authenticator push notifications.

Number matching is the most secure form of MFA notifications and organizations are faced with an increased risk of a cyberattack when using other forms. Wanting to decrease the risk of attacks, Microsoft is taking matters into their own hands and enforcing the most secure form of MFA notifications for all users of their authenticator app.   

Why is Number Matching for MFA Being Enforced? 

While all MFA notification types have provided additional areas of protection for organizations accounts, attackers have found ways to override the system. By using a technique such as MFA bombing and MFA fatigue attacks, attackers are able to bypass traditional security methods.

MFA bombing which leads to MFA fatigue attacks, allows attackers to send large numbers of authentication requests to an online account. With the help of automated tools and sometimes stolen credentials data, attackers are able to send out thousands of notification request. The hope is the user will get so overwhelmed by the bombardment of MFA notifications that the user selects “allow” to make the notifications stop. Once the user allows access into their account, hackers can gain access to the desired system often installing ransomware and holding data hostage in exchange for money.  

MFA bombing and MFA fatigue attacks are preventable when number matching as the notification type. The unique number provided with number matching increases protection for users. Other forms of MFA notifications lack the uniqueness which puts individual accounts and organizational data at an increased risk. The number provided is almost impossible to duplicate which ensures that organizations are protected from these attacks. Unlike with text and email codes, attackers can no longer send out thousands of automated requests that bombard users in an attempt to access a desired account.

As cybersecurity risks increase, organizations must adapt and become more vigilant when protecting their data. Microsoft understands the risk from not enabling number matching, which is why they are enforcing it starting on May 8, 2023.  


What Can Your Organization Do? 

Although organizations have until May 8th to enable MFA number matching, we have already been rolling out number matching for our clients. We recommend working with our team to schedule the transition before it’s enforced on May 8th to ensure your organization has increased protection against cybersecurity attacks.

Contact us at Virtuas for assistance enabling number-matching notifications and for all your cybersecurity needs.



Our team @Virtuas