Microsoft will update the multifactor authentication portion of the Office 365 login process Feb. 27. 一旦应用, Microsoft Authenticator app users will be required to enter a two-digit code to their second factor notification when receiving a push notification. 这个特性, 被叫号码匹配, will replace the previous functionality that required only approving a push notification. Users of the Authenticator app who are using a PIN to authenticate will not be affected by this change.
Don’t fall victim to an attack
Microsoft is implementing this feature to combat a rise in multifactor-authentication fatigue attacks. 这些攻击, also known as “push bombing,” occur when a cyberthreat actor uses stolen login credentials to bombard a user with mobile-app push notifications. Some users may approve one of these fraudulent notifications out of frustration, but others may accidentally approve a fraudulent notification while trying to accept a legitimate one.
Metropolitan State University of 丹佛’s Information 技术 Services Security Team has seen multiple users fall victim to MFA fatigue. 例如, an account was compromised using this technique and was then used to send fake job ads through Canvas’ internal-messaging system. With number matching enabled, it will be much harder to accidentally approve a malicious MFA prompt.
The impact for anyone using the Microsoft Authenticator app will be quite broad, as most 密歇根州立大学丹佛 web services are connected to Microsoft’s Office 365 single sign-on, 包括:
- Office 365电子邮件
- 团队
- Canvas
- 工作日
- WordPress
- GlobalProtect
其他重要信息:
- Anyone using the Microsoft Authenticator app should ensure that they are running the most up-to-date version, since older versions of the app will no longer work once number matching is live.
- Number matching is not supported for Apple Watch, Android wearable devices or other devices that don’t have a typing interface. Users will need to transition their second authentication factor to a device that supports number-matching prompts.
如何保护自己
ITS strongly recommends using the Microsoft Authenticator app as your preferred MFA authenticator, especially with this new security feature.
For instructions on making the change, please see How do I switch to using the Authenticator app instead of receiving a phone call? on the ITS Knowledgebase and download and install the Microsoft Authenticator app on the Microsoft support website.
If you have any questions or concerns, please submit an MFA 支持 ticket.
额外的资源
- What is Multi-Factor Authentication? (Source: 密歇根州立大学丹佛 ITS Knowledgebase)
- Advanced Microsoft Authenticator security features are now generally available (来源:微软)
- Defend your users from MFA fatigue attacks (来源:微软)
- Implementing Number Matching in MFA Applications (来源:网络安全 & Infrastructure Security Agency, 中钢协.政府)