Science and Tech

Microsoft Authenticator already protects against MFA fatigue attacks

Oct. 28 (Portaltic/EP) –

The application Microsoft Authenticator has improved the security of Multi-Factor Verification (MFA) with the implementation of new features such as ‘number matching’ and additional context prompts, designed to prevent phishing attacks and accidental approvals.

Multi-factor authentication systems, although they add an extra layer of security to logins, are not without problems, they are not without problems. And its growing adoption is followed by the rise of so-called ‘MFA fatigue attacks’.

“These attacks are based on the user’s ability to approve a simple voice, SMS, or push notification that does not require the user to have context of the session they are authenticating,” said Alex Weinert, Director of Identity Security at Microsoft. , in Septemberon the occasion of a report on this threat.

When they talk about simple approvals, they mean when the user receives an automatic notification to click or enter a PIN to approve the login instead of typing a code that is displayed on the screen.

MFA Fatigue Attacks they take advantage of the lack of attention shown by users in simple approvals. They are able to bypass multi-factor authentication by repeated login attempt with the previously stolen credentials, which translates into a constant sending of approval requests to the victim’s mobile.

This arrival of notifications can lead the user to accept one of them by mistake or without thinking, thus giving cybercriminals access to their account.

To prevent such attacks, Microsoft has implemented ‘number matching’ in Microsoft Authenticator, a feature that prevents accidental approval by prompt the user to enter a two-digit code from the login screen in the application, as explained in the blog of Company Tech Community.

“If the user did not initiate the login, they will not know the two-digit code, which will require the malefactor to share the two-digit code in a separate channel, which the user must not accept,” they point out from the technology company.

This novelty is already available for the administrators of the accounts of an organization. They can also access another novelty, ‘additional context’which also helps reduce accidental logins by displaying information about the app being accessed or the location of the originator of the login.

microsoft Explain which can be combined in the same notification ‘the additional context’ and ‘the matching of numbers’.

Source link