The Multi-Factor Authentication portion of the Office 365 login process will receive an update April 13 at 10 p.m. Once the update is applied, Metropolitan State University of Denver users who have set up the Microsoft Authenticator app to deliver push notifications will be required to enter a two-digit code to their second-factor notification when logging in to their MSU Denver accounts. This feature, called number matching, will replace the previous functionality that required only approving a push notification from the app.
This change will impact only those using the Microsoft Authenticator app to receive push notifications; people using other MFA methods, including using other features of the Authenticator app, will not be affected. Although this update was previously announced as arriving late last month, Microsoft decided to delay the servicewide update to May 8. Since this would fall on finals week of the MSU Denver spring semester, the University is electing to apply the update earlier, to maintain security standards while minimizing any potential impact on the community.
Microsoft is implementing this feature to help combat a recent rise in MFA-fatigue attacks. These attacks, also known as “push bombing,” occur when a cyberthreat actor uses stolen login credentials to bombard a user with mobile app push notifications. Some users may eventually approve one of these fraudulent notifications out of frustration, but others may accidentally approve a fraudulent notification while trying to accept a legitimate one. In this way, even computer-savvy users can fall victim to such attacks — including here at MSU Denver, where the Information Technology Services Security Team has seen multiple users become victims of MFA fatigue recently. Just this week, an account was compromised using this technique, and it then was used to send fake job ads through Canvas’ internal messaging system. With number matching enabled, it will be much harder to accidentally approve a malicious MFA prompt.
While this change will impact only those using the Microsoft Authenticator app to receive push notifications, that impact will be quite broad, since most MSU Denver web services are connected to Microsoft’s Office 365 single sign-on, including Office 365 email, Teams, Canvas, Workday, WordPress and GlobalProtect. Anyone using the Microsoft Authenticator app should ensure they are running the most up-to-date version, since older versions of the app will no longer work once number matching is live. Additionally, number matching is not supported for Apple Watch, Android wearable devices or other devices that don’t have a typing interface. Anyone using such a device will need to transition their second authentication factor to a phone or other device that supports number-matching prompts.
ITS strongly recommends using the Microsoft Authenticator app as your preferred MFA authenticator, especially with this new security feature. For instructions on making the change, please see How do I switch to using the Authenticator app instead of receiving a phone call? on the ITS Knowledgebase and Download and install the Microsoft Authenticator app on the Microsoft support website.
If you have any questions or concerns, please submit an MFA Support ticket.
Additional resources
- What is Multi-Factor Authentication? (Source: MSU Denver ITS Knowledgebase)
- Advanced Microsoft Authenticator security features are now generally available (Source: Microsoft)
- Defend your users from MFA fatigue attacks (Source: Microsoft)
- Implementing Number Matching in MFA Applications (Source: Cybersecurity & Infrastructure Security Agency, cisa.gov)