Detections
Analytics

5.2.3.1 Ensure Microsoft Authenticator is configured to protect against MFA fatigue

Information

Microsoft has released additional settings to enhance the configuration of the Microsoft Authenticator application. These settings provide additional information and context to users who receive MFA passwordless and push requests, such as geographic location the request came from, the requesting application and requiring a number match.

Ensure the following are Enabled.

Require number matching for push notifications

Show application name in push and passwordless notifications

Show geographic location in push and passwordless notifications

NOTE: On February 27, 2023 Microsoft started enforcing number matching tenant-wide for all users using Microsoft Authenticator.

Rationale:

As the use of strong authentication has become more widespread, attackers have started to exploit the tendency of users to experience 'MFA fatigue.' This occurs when users are repeatedly asked to provide additional forms of identification, leading them to eventually approve requests without fully verifying the source. To counteract this, number matching can be employed to ensure the security of the authentication process. With this method, users are prompted to confirm a number displayed on their original device and enter it into the device being used for MFA. Additionally, other information such as geolocation and application details are displayed to enhance the end user's awareness. Among these 3 options, number matching provides the strongest net security gain.

Impact:

Additional interaction will be required by end users using number matching as opposed to simply pressing 'Approve' for login attempts.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To configure Microsoft Authenticator to protect against MFA fatigue:

Navigate to the Microsoft Entra admin center https://entra.microsoft.com.

Click to expand Protection > Authentication methods select Policies.

Select Microsoft Authenticator

Under Enable and Target ensure the setting is set to Enable.

Select Configure

Set the following Microsoft Authenticator settings:

Require number matching for push notifications Status is set to Enabled, Target All users

Show application name in push and passwordless notifications is set to Enabled, Target All users

Show geographic location in push and passwordless notifications is set to Enabled, Target All users

Default Value:

Microsoft-managed

See Also

https://workbench.cisecurity.org/benchmarks/12934

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1)

Plugin: microsoft_azure

Control ID: d5b684b61b8e60c27b7063fcc6ecc8b593741e12ca530c4dbd1613025a9a80b0