Microsoft Quietly Improved Authenticator Security to Thwart MFA Fatigue Attacks

Microsoft today reported that it finished rolling out a new feature for its Authenticator app in September, improving its security and addressing an interesting problem called “MFA fatigue.” (Where MFA stands for multi-factor authentication.)

If you use Microsoft Authenticator, you may have seen this new behavior. (I have.)

“We now suppress Authenticator notifications when a request displays potential risks, such as when it originates from an unfamiliar location or is exhibiting other anomalies,” Microsoft’s Alex Weinert writes in the announcement post. “This approach significantly reduces user inconvenience by eliminating irrelevant authentication prompts.

Previously, Microsoft Authenticator would pop up a notification for each authentication attempt. Now, risky-looking login requests will prompt the user to “Open your Authenticator app and enter the number shown to sign in” at the source without triggering a notification on the user’s phone. Only when they open the app will they be asked to approve the login, and the app will prompt them to enter a confirmation number while displaying the name of the app that triggered the request and the user’s location, with a map.

“MFA fatigue” occurs when hackers use stolen credentials to repeatedly spam a user’s phone with bogus authentication requests in an attempt to get them to approve one in error. This method has been so successful that Microsoft decided to change how these prompts work in its Authenticator app, first by implementing a number-matching scheme and now via the no-prompt behavior noted above.

“We’ve prevented more than 6 million passwordless and MFA notifications since the deployment began,” Weinert says. “By the vast majority, these were hacker-initiated notifications serving no value to customers. Implementation of this feature has led to a smoother and more secure experience for users.”