Microsoft Authenticator MFA Changes

I remember when ‘day lamps’ were a new thing for cars. We were encouraged to have our headlights on during the day, and new cars were coming out with an ‘auto’ feature for day lamps. At the time, the insurance industry cited many studies where this small change had a huge impact, reducing accidents! Then we got used to the headlights, and although it’s still important, the impact is reduced; it’s just human nature that we would get used to seeing the headlights.

MFA Fatigue—the new human ‘syndrome’ impacting the success of MFA to secure your accounts. When you have multi-factor authentication (MFA) enabled (and you should!), you’ll receive a message asking for approval, often through the Microsoft Authenticator app on your phone. If you’re not actively logging in, then someone else may be trying and you can ‘Deny’ so they can’t access the account. This has saved quite a few of our clients!

In a rather high-profile case, a C-Suite member of a large company was being inundated by authentication requests. Out of sheer frustration, he hit ‘Accept’ and was hacked! I’m glad to report that when one of our clients had a similar barrage, they called us and we were able to confirm the hacking attempt and shut down the bad actors.

In response to this ‘fatigue,’ Microsoft has made some changes to the authentication message. If you want to approve the sign in, you’ll enter the two-digit code you received. There’s even an option to see a GPS image along with the code. Seems like a simple change, although it is yet another step.

The biggest resistance seems to be coming from those with Apple watches. It was pretty easy to hit ‘Approve’ but less convenient to type in the two digits which are in a pretty small font when displayed on a watch!

So here’s the news we need to share—Microsoft has been rolling this out over the last several months. It’s been included in various updates and new installations, and for now, it’s something that can be enabled. Beginning February 27th, this will no longer be optional; the two-digit code for MFA will be enforced. Kind of reminds me of seat belts—first it was recommended, then it was the law and was aggressively enforced. Now all new cars come with the annoying beeping if you don’t have it on. I think we all have to take a deep breath and know that this is for our safety (belts and two-digit codes). Any questions, give us a call. – CMW