With all the new security concerns arising, improving the security of recommended methods like Multifactor authentication (MFA) is important to continue. This is because one its a secure method to which you should be using by default, but we also need to improve the context to avoid attack vectors such as MFA fatigue (the act of someone spamming your device with prompts until you just accept it.)
The new features in Azure AD enables us to now provide more context on a push notification while also requiring number matching for notifications. The number matching process prompts you to select the correct number for to approve the prompt. This limits the reduction because if a user select’s a number and accepts the prompt due to fatigue, there is still a 2/3 chance that it will be wrong! Ideally however we need/want our user to notify us if they are receiving multiple MFA prompts we can act accordingly and protect them from it.
The second feature is Showing the Application Name in the push notification, this works brilliant when you are leveraging AzureAD to provide single sign on into 3rd party applications. The additional context lets an user confirm the prompt is for that application and not potentially a simultaneous login prompt from an attacker.
The last feature is geographic location, which provides the user with context where the sign-in request is coming from. This can be a little hit and miss as users might see their Internet Service Providers location, however if you user is always in Australia for example and they are seeing a response from another country, this additional context has just provided its value as the user can now be aware that this notification isn’t them.
For me one of the best features of Azure is the passwordless feature, which uses the additional features above but means I no longer have to sign in with my password. Instead a simple number matching prompt occurs after I enter my username. Ideally the less passwords I have the more secure I am it’s also one less thing to worry about in terms of password management.
Reach out to Vinti if you want to learn how to go passwordless or get your AzureAD security setup to protect your sign-ins into Microsoft 365.