Microsoft introduces new security feature to help users prevent brute force login attacks

Microsoft has added a new feature to its Authenticator app to help users protect their accounts against brute force attacks. The feature, called 'number matching', improves the company's multi-factor authentication (MFA) security measure by adding a new layer — wherein users will be required to manually scan and key-in a two-digit number to approve a login attempt.

So far, once MFA is enabled on an account, a user gets a notification on the Microsoft Authenticator app to approve a login attempt. However, cyber attackers often deploy a brute force attack to breach an account, if they get hold of an account's password. In this attack, the attackers spam a user with multiple notifications on the Authenticator app, hoping that a user may be fatigued or distracted by the multiple notifications, and accidentally approve a login attempt.

Cyber security researchers have often cited a lapse of focus, or lack of awareness around cyber security, as key reasons for a user's account to be breached.

The new Microsoft Authenticator feature seeks to address this, with the new number matching feature.

In this, users who receive a login approval request on the Authenticator app will also receive a two-digit number, which will then be required to be entered on the login screen of the Microsoft account in question — in order for the login to be approved. The move could prevent accidental approvals, since it would require a user to deliberately give access to a login request.

Starting June 30, Microsoft made MFA mandatory for all Azure Active Directory enterprise users of Microsoft's cloud services. With this feature, the company automatically enabled the feature for its enterprise clients, without requiring the same to be configured by a company's security administrator.

Going forward, the company will allow administrators to manually adopt the new security feature. However, the same will be automatically enabled for all users of Microsoft MFA, starting February 2023.

Microsoft also added that its Authenticator app for Apple's iOS devices will only use the company's 'App Transport Security' — a medium to transfer data using only secure connections — going forward.