Why Turning On Number Matching Is Now Urgent
In my last post, I said that this post would be about the relative strengths of different MFA methods. Due to unforeseen events – specifically, the breaches of Uber and Rockstar Games – that post will be delayed in favor of this one.
In this post, I’m going to provide some information about these recent, highly-publicized attacks, and provide some advice to help individuals and companies that use Microsoft products protect themselves from this type of breach.
What We Know About MFA Vulnerability
Unfortunately, I can’t go into too much depth about the breaches in the headlines. In the cases of the attacks on large, sophisticated technology companies that have made recent cybersecurity news, it is clear that many different factors had to have contributed to the hacks. Not all of these factors have been made or will be made public.
However, one of the factors that is public – and that both the lapsu$ and the 0ktapus attacks have in common – is getting around multi-factor authentication (MFA) by spamming a user whose password was already stolen with “bursts” of many MFA notifications, until that user accepted a notification, letting the hackers in.
Advice for Everyone
If you get an MFA request on your phone when you, yourself aren’t trying to sign into your work or school account, your password may be compromised, and you should change it. This situation is more likely if you have reused your password anywhere, which we don’t recommend. Note that if you change your password on a computer or phone that already has malware on it, the attacker will get your new password, too, so this may not solve your problems.
If you are part of an organization that has alerting turned on, suspicious sign-in attempts that use the correct password may cause an email alert to your IT or cybersecurity team. As a precaution, they may lock your account, change your password, and reach out to you to make sure your device is secure.
If you get a burst of MFA notifications in a short period of time, this is a serious problem. It is easily mistaken for your MFA app being “glitchy” or “broken,” but in reality, this event means your password has almost certainly been stolen. In this case, it is more likely that you are being targeted by someone who may also have access to your device(s) via malware. Contact your IT team immediately for further assistance.
If your team doesn’t yet have a plan for hardening your MFA system against this type of attack by including number matching or other counter-measures in app-based MFA, or if you don’t know whether they do or not, feel free to direct them to this post.
If you don’t have an IT team or you’re not confident that your IT team is doing their best to stay ahead of threats in a constantly changing landscape, feel free to reach out to Deep Core Data today.
Why Number Matching Can Help
This specific technology protects you from absent-mindedly or mistakenly tapping “Approve” on an MFA notification and giving an attacker access to your account.
Instead of just seeing “Approve” or “Deny,” your MFA prompts on your phone will include a two-digit code that you must enter on your phone to confirm that you initiated the prompt yourself. It looks like this:
This makes it impossible for an attacker with your password to take over your account with a notification – unless that attacker somehow sends the number on their computer screen to you, during the handful of seconds when it is valid.
Because you only have to type two digits, it doesn’t increase the difficulty of signing into your account very much compared to other MFA methods, such as typing a six-digit code from a software token or SMS message.
Implementing Number Matching for M365 Admins
The official Microsoft directions for enabling number matching are here. They are focused on hybrid domains with Radius active. Most of our clients’ domains don’t match this description, and so these directions are slightly misleading. If you have an entirely cloud-based (not hybrid or on-premises) domain, you can turn on number matching with a handful of clicks on a Microsoft website.
There are multiple Microsoft administrator portals you can use to edit MFA settings across your tenant, but the Microsoft Entra interface is most intuitive for this task. Navigate to entra.microsoft.com, then choose Protect & secure on the left, then Authentication Methods below Protect & secure, then Microsoft Authenticator in the center, then Configure in the upper-right.
On this page, you can choose to “Require number matching for push notifications” for all users or for a select group. Once the change is saved, it will take effect immediately.
Deep Core Data provides cloud administration and security incident response assistance to small internal IT teams, too. If you’d like to have more backup for situations like this, please feel free to get in touch with us.