In February 2023 Microsoft updated the Multi-Factor Authentication (MFA) Authenticator app.
An additional number-matching step was added to the authentication procedure to provide a more secure method of push notification MFA.
If you use the Authenticator App, which is the recommended MFA method, then this change will affect you.
What is the change?
The recommended method for setting up MFA for your University account is the Microsoft Authenticator app with push notifications. Currently, anyone with this MFA method enabled will receive a notification to their Microsoft Authenticator app whenever MFA is required. When they view the notification in the app they see a choice to either Approve or Deny the sign-in request, similar to the following:
Once the change is made you will no longer be given this Approve/Deny choice in your Microsoft Authenticator app and will instead be asked to perform number-matching on a screen similar to the following:
The number you need to enter will be displayed on the device you’re attempting to sign-in to and the prompt to enter it will appear on the mobile device where you use Microsoft Authenticator. When you enter a number the ‘Yes’ button in the prompt will become active, but you’ll only be signed-in successfully if the number you enter exactly matches the number displayed on screen.
When will this change be made?
The rollout of the change was staggered, and so you will notice the change dependent on your role within the University:
- Monday 6 February – all Information Services colleagues
- Monday 13 February – all remaining Professional Services colleagues
- Monday 20 February – all academic colleagues
- Monday 27 February – all students, associates and enhanced associates.
Do I need to do anything to prepare for this change?
In most cases, you won’t need to do anything to prepare for this change. Microsoft has already updated the Microsoft Authenticator app to support number-matching, so as long as you’ve either manually or automatically updated the app on your device, you’ll simply start getting the new experience from that date. You won’t need to set up MFA on your device again, or make any changes to the settings in your Microsoft Authenticator app.
Will any devices be unable to use the new number-matching method?
Unfortunately, some devices currently using Microsoft Authenticator with Approve/Deny notifications will be unable to use number-matching, since they can’t run the required newer version of the Microsoft Authenticator app. This is most likely to occur with devices which are no longer receiving system/firmware updates from the manufacturer. In the event that your device cannot use number-matching with Microsoft Authenticator, you’ll need to use an alternative MFA method instead.
Microsoft has also issued the following statement regarding Microsoft Authenticator on Apple Watch:
“In the upcoming Microsoft Authenticator release in January 2023 for iOS, there will be no companion app for watchOS due to it being incompatible with Authenticator security features. You won't be able to install or use Microsoft Authenticator on Apple Watch. We therefore recommend that you delete Microsoft Authenticator from your Apple Watch, and sign in with Microsoft Authenticator on another device.”
Why is this change being made?
This is a mandatory change being made by Microsoft for all organisations which use its services, including the University. The current Approve/Deny method was found to be insecure – it actually played a part in successful cyber-attacks against companies such as Uber – so Microsoft is requiring all accounts to adopt number-matching as a more secure method of push notification MFA.
Can I continue using the Approve/Deny method instead of number-matching?
No, as mentioned above the Approve/Deny method was identified by Microsoft as being insecure, so they are going to stop allowing its use and will be requiring all accounts to make use of number-matching or an alternative MFA method instead.
I currently use another method for MFA, will this change affect me?
Anyone currently using an alternative method for MFA, such as SMS text message, voice call or 6-digit TOTP code (either via an app or a MFA hardware token) will see no change to those other MFA methods. This change will only affect the Microsoft Authenticator push notification MFA method, so you’ll only notice it if you use that method exclusively, or in addition to one of these other methods.
I’ve been granted a temporary or long-term exception to MFA, will this change affect me?
No, if you’re currently exempted from being required to perform MFA this will still be the case following this change. However, if your exception is temporary then you’ll start getting the new number-matching experience once your exception expires, if the push notification MFA method is set up for your University account.
Where can I see which MFA methods have been set up for my account?
Where can I find further information?