General
This check verifies whether push notifications are enforced as the MFA method in Microsoft Authenticator instead of one-time codes (One-Time-Passwords).
Rationale
Microsoft Authenticator has valuable functionality to provide a user with more information on how a login attempt was initiated. This helps users recognize and report phishing attacks. These features only work in combination with the Push notification as the MFA method.
In the default configuration, users can also opt for One-Time-Passwords, which means that Microsoft Authenticator displays a 6-digit code that changes continuously and serves as a second factor. However, in that case, the additional features do not work against phishing attacks, making the user unnecessarily vulnerable.
Attic Fix
A fix is available for this check! It will be offered via a ticket in Attic, which you can then accept.
Manual Instructions
Follow these steps to adjust the setting:
- Open the Microsoft Entra admin center: https://entra.microsoft.com
- Go to Protection > Authentication methods
- Click on Microsoft Authenticator
- Click on Configure
- Set the option Allow use of Microsoft Authenticator OTP to No
- Click on Save
Comments
0 comments
Please sign in to leave a comment.