Multi-Factor Authentication (MFA) Verification - Number Matching & Phone Sign-in

Security Feature Updates From Microsoft

Microsoft has introduced features to increase the security of multi-factor authentication. The Microsoft Authenticator app now supports number matching for login. Number matching is more secure and helps reduce the number of times you have to type in your password. Their Authenticator app also displays additional information about the service you are attempting to log into, including the application name and a rough estimate of where the login will come from. This additional context is provided so you can determine if a login attempt is legitimate or not, before approving it.

NUMBER MATCHING

Number matching is a more secure method of authentication than the push-to-approve verification method it replaces. With the number matching, a two-digit number will be displayed when you log in to a service. You simply enter that number into the Microsoft Authenticator app to approve the login.

WHY NUMBER MATCHING CAN HELP

This new approach to authentication protects you from mistakenly tapping “Approve” on an MFA notification and giving an attacker access to your account. Instead of just seeing “Approve” or “Deny,” MFA prompts on your phone will include a two-digit code that you must enter on your phone to confirm that you initiated the prompt yourself. The Microsoft Authenticator app also displays additional information, including the App being accessed and an approximate location of the login attempt. The experience looks like this:
 

This makes it more difficult for an attacker with your password to take over your account with a notification.

Because you only have to type two digits, it doesn’t significantly increase the difficulty of signing into your account compared to other MFA methods, such as typing a six-digit code from a software token or SMS text message.  Also, with phone sign-in enabled you may be able to bypass entering your password before the number matching prompt.

This feature change does not affect your login process if you use SMS text messaging or one-time passcodes (OTP) via an authenticator app. If you are not currently using the Microsoft Authenticator app, it is highly recommended that you configure your account for it.  See our Microsoft Authenticator app article to learn how to obtain and set up the app.

The image below is an example of how you can access number-matching from the password log-in menu. You would click Other ways to sign-in then select Approve a request on my Microsoft Authenticator app when it appears on a separate browser window.

Note: The number matching feature doesn’t work with smartwatches; there is no estimated date when this capability might become available.

To learn more about this upgraded feature and its importance, see this CISA article on number matching.
 

Phone Sign-In (optional)

For the best experience, enable Phone sign-in for your Middlebury account in the Microsoft Authenticator app as follows:

1. Open the Microsoft Authenticator app.

2. Select your Middlebury Account.

3. Choose Enable phone sign-in.

4. Follow on-screen instructions.