Microsoft MFA Number Matching

Body

On February 27, 2023, Microsoft will replace MFA "Push to Approve" authentication with MFA "number matching", a new and more secure MFA authentication method. If you have “Push to Approve” enabled as your MFA approval method, this will be replaced with “Number Matching.” This change only affects the Microsoft Authenticator App and people who use push notifications. The University of Delaware cannot block this roll-out. 

Microsoft is implementing number matching because it prevents MFA fatigue (people blindly hitting approve). By having to provide the 2-digit number from the app that needs approval to the Microsoft Authenticator app, you have to check to see which computer or device and app is triggering the MFA approval request. Your phone screen also shows where the MFA response message was triggered.

Steps to authenticate with MFA number matching

When you sign in to an app and are prompted for MFA authentication, a 2-digit number shows on the app that you are logging in to. You must then type this number on your MFA approval device for the approval to succeed. 

  1. Sign in to https://office.com or an o365 App such as email. Log in with your full email address and your UDelNet password. 

 If you've recently signed in to o365, you may not be prompted to provide MFA authentication. 

  1. From the app that you’re signing in to, a screen similar to the one below appears.

Number from the device you're logging in to

  1. On the phone, tap approve sign-in.

MobileDevice_ApproveSignInMsg

  1. On your authentication device, note the map location, and verify that this is the physical location of the device you’re logging in to.

  2. Type the 2-digit number on your authentication device, and tap Yes.

The numbers field on the authentication device with the matched number typed.

If you do not think an app you're using triggered the MFA request, leave the number field blank, and choose No, it’s not me. On the next screen, click Report. If you repeatedly receive number matching requests from a geographic location different from your current location, or that you believe were not generated by your computers or devices, contact the IT Support Center


Note:

If, on your MFA approval device, an app on that same device (such as Outlook) requires a number match, the number may be hidden. Tap I can't see the number, so that you can retrieve the needed 2-digit number. Then return to the requesting app so that you can type the number and approve the MFA. The window for MFA approval is short. If timing is an issue, you can send another approval request or choose to authenticate using one of your back-up authentication methods, such as an SMS code.