Description
When using the Microsoft Authenticator app with Azure Multi-Factor Authentication, you’ll be prompted to enter a number shown on your screen to complete your login. In addition, the name of the application requesting authentication will appear on the number matching screen. This article shows you what this number-matching process looks like.
Environment
Smartphone with the Microsoft Authenticator app installed, computer
About
Microsoft has launched the number-matching update to comply with the U.S. Cybersecurity Agency MFA recommendations to help protect your account from hackers. These regulations prevent a form of hacking called MFA fatigue attacks. During an MFA fatigue attack, a hacker steals your password in a phishing attempt and spams you with MFA push notifications, hoping that you’ll let them access your data. Authenticating through number-matching prevents this type of attack. In addition to number-matching, the name of the application requesting authentication will be listed on the number matching screen in the Microsoft Authenticator app, further enhancing security by allowing you to recognize an authorized log-in. If you do not recognize, or are not attempting to open the app named in the authenticator, then the request may be malicious. Report any suspicious behavior to Information Security at security@ohio.edu and reset your password.
Note: This feature impacts anyone who uses the Microsoft Authenticator app to authenticate. It is not possible to opt out of number matching when using the app. However, if you use a phone call or text message (SMS) to authenticate, you will not be impacted.
Procedure
- Navigate to any online application requiring your OHIO log-in (ex: Catmail, Blackboard, etc.).
- Enter your OHIO email address and password.
- You will receive a push notification on your phone from the Microsoft Authenticator app.
- You may not receive a notification if you have selected Remember me for 90 days. You can open a private/incognito window on your web browser to see the new authentication experience.
- Select the push notification on your phone.
- You will then see a number on your device’s screen.
- Enter this number in the Authenticator app and select Yes. The name of the application requesting authentication will appear above the number entry field.
- Note: If you do not recognize the name of the application, or if you are not attempting to access the application named in the request, do not accept the request; it may be malicious.
Outcome: You have successfully authenticated your log-in via number matching on the Microsoft Authenticator app.
Note:
- You can still select Remember me for 90 days at any online OHIO log-in screen.
- Apple Watch is no longer compatible with the Authenticator app due to this security update.
- When you connect to campus VPN, you will receive a push notification instead of being prompted to number-match.
Tip: Do not accept any authentication requests that you do not recognize. You can view your account's log-in history by opening the Microsoft Authenticator app and selecting Review Recent Activity. You can also navigate to myaccount.microsoft.com and select My sign-ins. If you do not recognize the log-in device or location, you should reset your password immediately.
Additional Resources:
Get help from OIT