Is Passwordless MSA (consumer) less secure when not paired with number matching?

marlobello 0 Reputation points Microsoft Employee
2023-01-23T20:36:51.75+00:00

It seems that passwordless isn't as secure as we all wish it was, unless it is paired with number matching. It seems that all Microsoft 365 accounts will be moved to require number matching next month to address this. https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match

What about consumer account (e.g., @outlook.com). The attack vector is that a threat actor could attempt to authenticate to your Microsoft account knowing nothing but your email address. A victim's authenticator app will get a push notification asking for approval. If the victim isn't diligent and think through the notification, they can (and likely will) approve the authentication. This does not pass the grandma test, it is too easy for someone to mistakenly allow the threat actor in.

I do not see a way to enable number matching on personal Microsoft accounts. I have a family member who has received multiple attempts to login to their account to the point where I think I must put a password back on their account to improve the security. What am I missing?

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
5,140 questions
0 comments No comments
{count} votes