Azure multi-factor authentication (MFA) is undergoing a major change with the global rollout of the "Number Matching" feature for all Azure tenants. The now announced and dated rollout is the next step in Microsoft's push toward "passwordless" authentication.
Tenant Rollout Announcement
With the announcement of January 22, 2023 at the latest, the rollout date and the fact that Microsoft is restricting the administrator controls and thus pushing the number matching feature in the Authenticator app in the future is known. Specifically, the announcement is as follows.
Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users starting February 27, 2023.
We highly recommend enabling number matching in the near term for improved sign-in security.
Why Microsoft is pushing the Number Matching rollout
The reason for this rollout is the increasing number of successful attacks on systems protected by MFA. This is due to the various strengths of MFA authentication methods such as SMS, calls, OTP tokens and push notifications. While these methods increase security compared to no MFA, they are becoming increasingly vulnerable to attacks. Successful attacks on MFA-protected systems rely on the MFA fatigue method, also known as MFA spamming. The Number Matching feature addresses this problem and prevents this method, as can be read in this article from Microsoft.
What the Number Matching MFA rollout means
For existing tenants, the Number Matching feature becomes the new default for all users using the Authenticator app for MFA. This means that the administrator controls under Azure AD > Security > Authentication Methods > Policies > Microsoft Authenticator > Configure will no longer be available after the rollout on February 27, 2023. With Number Matching as the new standard, push notifications will no longer be available for easy one-touch acceptance of login requests. Number Matching via push notification will then be the only option.
Those who do not want to use Number Matching for inexplicable reasons can still use the other MFA methods for configuration, such as SMS, call, 3rd party token and certificate-based authentication. In this case, however, the choice must be weighed up carefully so as not to artificially reduce security.