Microsoft Authenticator Adds Number Matching Feature
Microsoft Authenticator has long supported click-to-confirm login, allowing users to approve their Microsoft account login by simply tapping on the authenticator.
This feature proves quite useful for passwordless users, as it enables swift login without the need for entering a password or a dynamic verification code.
However, hackers can exploit a certain vulnerability inherent in this verification mechanism—a vulnerability not stemming from Microsoft Authenticator itself but from the users.
Microsoft’s click-to-confirm verification method indeed simplifies user login. However, hackers can also initiate login requests using any arbitrary user account.
Similar to receiving SMS verification codes, service providers typically advise against sharing codes with anyone. Users should also refrain from indiscriminately approving login requests.
Theoretically, users should only approve requests they themselves have initiated. Nevertheless, some users either misunderstand this concept or inadvertently grant hackers login approval.
Microsoft previously employed a three-option numerical verification, but even with a three-option system, there remains a certain probability of deception, posing risks for novice users.
It seems that Microsoft detected numerous similar attacks or received user feedback, prompting the requirement for users to enter verification codes before granting approval in the latest version.
Starting today, when users initiate a Microsoft Authenticator request, the login page will display a two-digit verification code, which must be entered into the authenticator.
By employing this number matching mechanism, users cannot unwittingly approve logins, thereby enhancing security and avoiding issues caused by inadvertent actions.
Of course, with the addition of the number matching mechanism, users must input a two-digit verification code on their phones, making the login process more cumbersome. Nonetheless, this inconvenience is unavoidable.
Via: Neowin