One of the podcasts I listen to is Security Now, hosted by Steve Gibson.
During last week’s show, he read an email from a listener who had just recently switched to using passkeys with his Microsoft account. The email mentioned using the Microsoft Authenticator app in the process, and the need to enter a two-digit code into the app.
Steve was a little confused by this mention of entering a two-digit code, but it was something I immediately recognized, as did co-host Leo Laporte.
Here’s a clip from this week’s show (episode 1026).
If you didn’t click the video, you’re depriving yourself of the chance to hear Steve Gibson reading an email I sent him.
Hi Steve,
I just listened to episode 1025 in which you read a bit of listener feedback that left you perplexed about Microsoft’s Authenticator app needing you to type in a two-digit number. I use Microsoft’s products in an enterprise environment and thought I might be able to shed some light on this.
What’s going on is that Microsoft offers the option of using a push notification instead of the TOTP (in the enterprises I’m familiar with allow you to use either as a second factor).
The problem with push notifications is, of course, “notification fatigue.” People get used to seeing the notification and just click “Yes, it’s me” without thinking it through. (So if someone figures out your password, and you blindly confirm it…. I’m sure you see where that’s going.)
To counter this, when you log in to a Microsoft system that uses push notifications, they display a two digit number. You then have to enter that number into the pop-up from the authenticator app. That way, it’s much more difficult for an end-user to accidentally confirm a third-party’s login attempt.
Hope that sheds some light one it.
Blair