Microsoft is introducing number matching for MFA –  a more secure way of logging into our systems. No action is required from users at the moment.

Multi-Factor Authentication (MFA) helps prevent unauthorised access to university IT systems, such as Microsoft 365, VPN, Virtual Desktop and Remote Desktop. There are a variety of ways to approve authentication depending on the device you use and your preferred method, but the Microsoft Authenticator app is the university’s recommended method.

If you currently use the Microsoft Authenticator app, from Monday 27 February, you will begin to see a number on-screen when entering your username into a system that requires you to use MFA. Simply enter that number into the Microsoft Authenticator app to log in. If you have configured your device to opt-in to phone sign-in, as outlined below, you will no longer need to enter your password.

Microsoft have introduced number matching as it eradicates the risk of accidental MFA approval should your account be targeted by criminals.

Enabling phone sign-in – Recommended action

What is phone sign-in?

Separate to number matching, phone sign-in is a Microsoft feature that allows users to authenticate MFA requests using their smartphone alone – no password or username is required.

What is the benefit of enabling phone sign-in?

Passwords are a primary target for cybercrime. Phone sign-in helps to mitigate this risk as you will not need to remember passwords or worry about others stealing them. Phone sign-in makes logging into systems quicker and more secure.

What steps do I need to follow to start using phone sign-in?

In order to start using phone sign-in, you must follow the steps below. You can complete these steps now.

1. Open the Microsoft Authenticator app on your phone (or install it if you haven’t already)
2. Your email address is displayed – click on it
3. Select ‘Set up phone sign-in’
4. Follow the instructions in the app to finish registering your account for phone sign-in

If you use the Microsoft Authenticator app on more than one phone, you will also need to follow the above steps on your other phone(s).

What will I see when logging into a system that requires MFA?

Once you have enabled phone sign-in, the next time you log onto a system that requires MFA, such as Microsoft 365, you will be prompted to enter your password as usual. After doing so, you should then see an option saying ‘Use app instead’ – click on this to start using phone sign-in.

Note: You may see a page saying ‘Request has not been sent’ in place of a number. This simply means there is a pending authentication that has not been approved/ denied within the app. You will need to open and approve or deny the authentication.

If you do not currently use the Microsoft Authenticator app to log into systems, you will experience no change and you will be able to log into your systems as usual.

What if I don’t follow the steps above?

We strongly recommended you enable phone sign-in on your phone. It is more secure, and you will no longer need to enter your password into systems that use MFA.

If you do not enable phone sign-in, you will need to enter your email address and password into systems, followed by the number matching element in the Microsoft Authenticator app.

If you have any questions, please contact the IT Service Desk in the first instance.