January 20, 2023

Microsoft multi-factor authentication (MS MFA) changes are coming your way

Multi-factor Authentication (MFA) Phishing attacks are on the rise which results in fraudulent MFA approval requests being delivered to users.  The goal of an MFA Phishing attack is to catch the user off guard and lure the user to approve an MFA approval request that is fraudulent.   To prevent accidental approvals, users will shift from a ‘Deny /Approve’ notification of verification to entering a two-digit number displayed on the sign-in screen when approving an MFA request in the Microsoft Authenticator application. The form of authentication described above is also known as ‘push One Time Passcode’ or ‘push OTP’. The shift to a 2-digit entry method is critical to protecting our users.

As an added note, this shift will not affect verification entry methods that rely on reading a code, or one time passcode (OTP), from an SMS/text, manual passcode entry, or a hardware token device.

The MS MFA change will:

  • Improve the security on VUMC’s enterprise information and applications.
  • Reduce the threat of MFA Phishing attacks that target users by sending fraudulent MFA approval requests.
  • Shift to requiring the entry of a two-digit number into the Microsoft Authenticator application when logging on to enterprise applications where the push One Time Passcode (push OTP) method is used for verification.


What to expect:

Currently, when you attempt to access a resource that requires MFA via ‘push OTP’ within the Microsoft Authenticator application, you may be presented with an ‘Deny / Approve’ message in your Microsoft Authenticator application on your phone.

Message displayed in application ‘Deny / Approve’ display on an Android device ‘Deny / Approve’ display on an iPhone


In some cases, you may not know the resource that is asking for an approval request.  This is how MFA Phishing attacks can occur as the attacker counts on you not knowing the exact resource that is asking for approval and hopes that you will approve the fraudulent request without further investigation.

When the MFA change is in place, this is what you will experience instead.  When you attempt to access a resource that requires MFA via ‘push OTP’ within the Microsoft Authenticator application, the resource will display a message with a 2-digit number.  This message typically appears in the browser window that is presenting the resource to you.  Furthermore, you will be presented with a message in your Microsoft Authenticator application on your phone.  This message will include a field to enter a two-digit number.  The two-digit number that needs to be entered will be displayed in the enterprise application requesting authentication.  This ensures the request is authentic.  The shift to a two-digit number matching requirement prevents attackers from sending fraudulent requests to you.


2-digit number displayed in application 2-digit entry display on an Android device 2-digit entry display on an iPhone


As the implementation of this feature approaches, you will be made aware of the shift to the two-digit number input requirement along with guidance on how to adapt to the change.

Please refer to the MS MFA CHANGE website for more information, including a set of frequently asked questions (FAQs).  If you have additional questions, please contact the VUMC IT Help Desk at 615-343-HELP (4357) or submit a Pegasus Request.