Azure multi-factor authentication (MFA) is undergoing a major change with the global rollout of the "Number Matching" feature for all Azure tenants. The now announced and dated rollout is the next step in Microsoft's push toward "passwordless" authentication.
Tenant Rollout Announcement
With the announcement of January 22, 2023 at the latest, the rollout date and the fact that Microsoft is restricting the administrator controls and thus pushing the number matching feature in the Authenticator app in the future is known. Specifically, the announcement is as follows.
Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users starting February 27, 2023.
We highly recommend enabling number matching in the near term for improved sign-in security.
Read here.
Why Microsoft is pushing the Number Matching rollout
The reason for this rollout is the increasing number of successful attacks on systems protected by MFA. This is due to the various strengths of MFA authentication methods such as SMS, calls, OTP tokens and push notifications. While these methods increase security compared to no MFA, they are becoming increasingly vulnerable to attacks. Successful attacks on MFA-protected systems rely on the MFA fatigue method, also known as MFA spamming. The Number Matching feature addresses this problem and prevents this method, as can be read in this article from Microsoft.
What the Number Matching MFA rollout means
For existing tenants, the Number Matching feature becomes the new default for all users using the Authenticator app for MFA. This means that the administrator controls under Azure AD > Security > Authentication Methods > Policies > Microsoft Authenticator > Configure will no longer be available after the rollout on February 27, 2023. With Number Matching as the new standard, push notifications will no longer be available for easy one-touch acceptance of login requests. Number Matching via push notification will then be the only option.
Conclusion
In summary, the Number Matching rollout is an important step towards improving Azure MFA security. Microsoft is rolling out the effective and forced switch from push notifications to Number Matching with fairly short notice. Organizations and users who use the Authenticator app and want to continue to do so will be forced to Number Matching. In my experience, the feature is reliable, easy to use and basically no extra work for the user, all they have to do is type a two digit number off the screen. For this reason, I welcome this change, despite the short notice. The Number Matching option has been available since at least late summer 2022. So those who have already been active themselves and configured Number Matching as recommended are at an advantage in terms of user communication.
Those who do not want to use Number Matching for inexplicable reasons can still use the other MFA methods for configuration, such as SMS, call, 3rd party token and certificate-based authentication. In this case, however, the choice must be weighed up carefully so as not to artificially reduce security.
Sources:
English 
German
1 thought on “Number Matching MFA Rollout”