TL;DR: The Microsoft Authenticator app will enforce number matching starting February 27th 2023 in response to MFA fatigue attacks. anDREa has already enabled location and additional context, number matching will follow soon. Activation date to be decided, most likely before the end of 2022.
Multi-factor authentication (MFA) is a layered end-user security measure, where users are presented with an additional verification step after logging in with their username and password combination. A log in procedure not only relies on what you know (username and password) but also on something that you have (phone). While this seems quite secure, cybercriminals have been deploying a technique called MFA fatique attacks
to gain access to systems.
MFA fatigue attacks
MFA fatigue attacks is a social engineering technique used by cybercriminals to bombard users with MFA push notifications until one is (accidentally) accepted. It has gained quite the popularity amongst hackers as it has been proven to be a simple yet effective technique to exploit human error and gain access to private information. When logging in to myDRE, you most likely are familiar with the Microsoft Authenticator app. After entering your @mydre.org username and corresponding password, you are presented with a MFA request on your phone which you can approve or deny. When you get spammed with multiple of these request you might get annoyed, thinking it is a system malfunction and you decide to approve it to get rid of the requests. This will then grant an attacker access to your information.
Additional context, location and number matching
In an effort to make MFA fatigue attacks less likely to succeed, Microsoft has added three entries to the request coming from the Microsoft Authenticator app. Two of the features have already been enabled for all the users of myDRE and you might have seen them if you looked at your MFA request properly (and you should!). The MFA request now presents you with additional context (which app is requesting access) and location (where is the request being sent from). Until now, we did not implement the third feature called number matching. As the name says, upon signing in with your username and password, you will be presented with a number that you will have to present to your MFA request. An example can be found below:
Example of number matching in the Microsoft Authenticator app.
We have received news that the Microsoft Authenticator app will enforce number matching starting February 27th 2023. anDREa will therefore enable number matching on beforehand to get used to the additional step of authentication, activation date to be decided but most likely before the end of 2022. Although we do understand that this might be quite cumbersome, it will keep your information secure by making you act consciencely on MFA requests and increasing your awareness.
MFA requests coming from myDRE will have the following data:
- Your @mydre.org username
- App: digital research environment (weu-andrea) - portal
- Location: your location.
- Soon: a number matching box to present the number.
Awareness - MFA: number matching, location and additional context
The Microsoft Authenticator app will enforce number matching starting February 27th 2023 in response to MFA fatique attacks. anDREa has already enabled location and additional context, number matching will follow soon. Activation date to be decided, ...
Awareness - Passwords, Spell Checkers, and MFA
Introduction We like to make you aware of some of the current security vulnerabilities, what you can do and what anDREa is doing to mitigate the risks. Passwords & Spell Checkers Spell checkers offered by browsers, but also apps like Grammarly, pose ...
I forgot my password / MFA on a new phone
Introduction To be able to log in to myDRE you will need an @mydre.org username, your password and multifactor authentication (MFA). Together, these provide your identity on the platform. However, at some point you might forget your password or you ...
Awareness - MFA protects but make sure the site is okay
version: 2022-04-14 Introduction MFA is a good way to protect against hackers, but on Tuesday, Microsoft detailed an ongoing large-scale phishing campaign that can hijack user accounts when they're protected with MFA designed to prevent such ...
Awareness - Malicious code packages in repositories
anDREa B.V. takes information security very seriously. We recently engaged in the ISO 27001 certification process. Moreover, we are subscribed to several security news feeds. As a result, we will post awareness articles from time to time with ...