Strategy behind change in Microsoft Authenticator (2-factor auth app)

To work from home on my computer, I’ve needed to use Microsoft Authenticator and a corresponding computer app. I log in with account and password on the computer, then something pops up on screen on the cell phone for me to confirm that I stole AHunter3’s phone along with his laptop and we’re good.

At some point in semi-recent history, it all clamored for me to okay it to upgrade itself, warning me that insecure out-of-date protocols I was using would soon not be sufficient to permit me to connect to the VPN, so I did.

And whereas before I was asked to input a six-digit authentication code from one device to the other, in the newer edition it is a two-digit code.

:thinking:

I briefly tried Googling to find what the thinking behind that change was, but got immersed in pages of people making the usual complaints about the annoyance of two-factor authentication (can’t disagree but wasn’t what I was seeking).

What’s up with this? Why would they move from six digits to two as a supposed step in the more-secure direction?

I do seem to recall that the old system was supposed to let me just click an OK button but it never worked and always required the six digit code. And sometimes the two-digit code doesn’t “take” and I’m asked to enter a six-digit code when I click “that didn’t work” although it’s amazingly inconsistent and unpredictable. (sometimes it resends a second popup of two digits to the phone, sometimes it says “sucks to be you” or equivalent and I have to back out and start over, etc etc).

This is a change from Time-Based One Time Passcodes to Authenticator Push number matching. Instead of entering 6 numbers from your app onto the page, you get a prompt on your phone and the page displays a two digit number which needs to be entered into your phone.

Most organizations are making this change from push notifications to number matching to eliminate push fatigue attacks (outlined here Microsoft enforces number matching to fight MFA fatigue attacks) which made the news as part of a recent Uber breach.

Your security team may have disabled push notifications until the number matching was Generally Available. There are also some systems that only support TOTP, so the change could be from a back-end upgrade.

I had a rash of requests last month that I ignored.
Thanks, leswax