Multi-Factor Authentication (MFA) - Number Matching

TLDR:

We will be enabling a new feature called "Number Matching" to improve security with MFA

When you log in, a number will be shown on the screen
Your Authenticator app will prompt you, open the notification
Type the number on the screen into the mobile app and approve
Done

What is Number Matching

With number matching enabled, the Microsoft Authenticator app requires users to type a number into their mobile device, that is displayed on the screen to complete the authentication process.

Your laptop will look something like this:

The prompt on your mobile device will look like the following screenshot:

Please enter the number shown, and click on "Yes" or the tick/enter button on the keyboard (if available)

Please note: Microsoft recommends users to install the latest version of the Authenticator app on their Android or iOS devices. However, keep in mind that the number matching feature isn’t supported on Apple Watch (as of January 2023). Users will need to uninstall the Microsoft Authenticator Apple Watch app and approve the notifications on their mobile devices.

Additional Context

On your mobile device, you will see additional context on where the authentication prompt is coming from.

The App shows which service is trying to be logged in to, in this case, Office 365 Exchange Online is our email system. You may see other items such as Salesforce or Microsoft Teams.
The approximate location of the device attempting to authenticate

Location:

Please take this information with a pinch of salt, this is not always accurate.

Location data is gathered from the IP address of the device trying to authenticate (not GPS)

IP address location matching can be inaccurate for the following reasons:

Your Internet Service Provider (ISP) might terminate their connection in a different location
IP addresses are matched on different databases that can vary, some will say it's based in the next town over for example.
You might be using a VPN
You might be sharing an IP address with another user
Public Wi-Fi can sometimes have wildly different IP addresses - it may say your are hundreds of miles away

The location should be used as a general guide and not the rule.

Why are Microsoft turning this on for everyone?

The traditional way of authenticating an MFA prompt is very simple, you receive a request via a notification, and approve it.

You may accidently approve a notification, and hackers are always trying to find new ways to break into accounts, and one new way that is on the trend is "MFA Fatigue" (aka, MFA spamming)

What is MFA Fatigue?

MFA Fatigue is a technique of constantly spamming the user with MFA push notifications for additional verification. By continuously spamming, attackers assume users will approve requests considering that they came from a reputable source.

Therefore, attackers trickily gain access to the user account or the organisation’s systems. This attack relies heavily on social engineering.

For more general information and FAQ's about MFA, please see here:

MFA - FAQ : IT Self Service System (teachfirst.org.uk)