February 3, 2023

Reminder: Microsoft multi-factor authentication changes coming

Multi-factor Authentication (MFA) Phishing attacks are on the rise which results in fraudulent MFA approval requests being delivered to users.  The goal of an MFA Phishing attack is to catch the user off guard and lure the user to approve an MFA approval request that is fraudulent. To prevent accidental approvals, users will shift from a ‘Deny /Approve’ notification of verification to entering a two-digit number displayed on the sign-in screen when approving an MFA request in the Microsoft Authenticator application. The form of authentication described above is also known as ‘push One Time Passcode’ or ‘push OTP’. The shift to a 2-digit entry method is critical to protecting our users.

As an added note, this shift will not affect verification entry methods that rely on reading a code, or one time passcode (OTP), from an SMS/text, manual passcode entry, or a hardware token device.

The MS MFA change will:

  • Improve the security on VUMC’s enterprise information and applications.
  • Reduce the threat of MFA Phishing attacks that target users by sending fraudulent MFA approval requests.
  • Shift to requiring the entry of a two-digit number into the Microsoft Authenticator application when logging on to enterprise applications where the push One Time Passcode (push OTP) method is used for verification.

What to expect:

Currently, when you attempt to access a resource that requires MFA via ‘push OTP’ within the Microsoft Authenticator application, you may be presented with an ‘Deny / Approve’ message in your Microsoft Authenticator application on your phone.