Microsoft back down on plans to enforce Microsoft Authenticator number matching

Microsoft lack of spine networking

So, I’ve been talking to my security guy about Microsoft’s latest security backpedal. Let me tell you, he’s an unhappy bunny. Microsoft set a deadline of February 27th for enforcing Microsoft Authenticator number matching. Then they “listened to customers” and pushed it back to May 8th. Not only that, what they were previously going to enforce is now just going to be a default option that customers can switch off.

Microsoft Notification bearing the following text.
Upcoming Authentication number matching enforcement
Microsoft Authenticator number matching admin controls will be removed after February 27, 2023.
Number matching will be enforced for all Microsoft Authenticator users after this date. — Enforcement deadline for February

A Microsoft announcement with the following text.
When will my tenant see number matching if I don't use the Azure portal or Graph API to roll out the change?
Number match will be enabled for all users of Microsoft Authenticator push notifications after May 8, 2023. We had previously announce that we will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting February 27, 2023, After listening to customers, we will extend the availability of the rollout controls for a few more weeks.
Relevant services will begin deploying these changes after May 8, 2023 and users will start to see number match while others don't. To ensure consistent behaviour for all your users, we highly recommend you use the Azure portal or Graph API to roll out number match for all Microsoft Authenticator users — Soft deadline for May

This flip-flop behaviour is a trend for Microsoft’s security announcements and it’s becoming laughably predictable.

They did the same with office macros and with switching off basic authentication.

What is number matching?

For those of you who don’t know, number matching is a security feature that requires users to enter a number on their device that matches the number in the authentication prompt. This added step helps prevent attackers from using stolen credentials to access the user’s account. And it’s important because push fatigue is a real thing. When users are bombarded with authentication requests, they start ignoring them or approving them through inattention or error. This makes it easier for attackers to access the user’s account. Number matching helps prevent push fatigue by adding an extra layer of security.

But Microsoft’s kicking the can down the road is just causing confusion and undermining trust. My security guy has been handholding users as he moves their Microsoft Authenticator over to number match. Now Microsoft is shifting the deadline and allowing an opt-out. He feels like they don’t take security seriously. If Microsoft can’t seem to make up their mind on what’s important, how can customers trust that their systems are secure?

My view

My view is that these artificial deadlines give us the leverage we need with customers to push through best practice security measures. Even though we both know that, when push comes to shove, Microsoft always backs down before the deadline. However the truth is that the best practice here is to roll out WebAuthn and FIDO2 keys. Microsoft’s setting and then changing these deadlines can exhaust our resources on the wrong target. Number matching is a good second best for the time being. But the attackers will soon transition to more sophisticated phish sites. They will soon find this necessary in order to keep their numbers up. The attackers already have the technology standing by. Its just cheaper and more efficient to use the old techniques while they still work. Maybe that’s a tipping point that Microsoft has just moved from February to May.

The old adage is that you don’t have to run faster than the bear to get away. You just have to run faster than the guy next to you. If you’re like us, you’ve been relying on number matching to out pace the competition. This news from Microsoft may be too little and too late. But it does mean that we’ve now got a little longer to invest in Fido keys and roll them out. At least for our most sensitive accounts.