Microsoft has started rolling out a critical update to Microsoft Authenticator for personal accounts, replacing the familiar tap-to-approve push notification with a two-digit number entry requirement. The change, which mirrors a security measure already enforced for enterprise work and school accounts, is designed to thwart increasingly sophisticated phishing and MFA fatigue attacks that exploited the simplicity of the old one-tap verification.

Instead of receiving a notification that simply asked “Approve or Deny,” users will now see a randomly generated two-digit number on the sign-in screen—whether that’s a website, an app, or a new device setup. They must then open Microsoft Authenticator, verify their identity via biometric or PIN, and manually type that number into the app’s prompt before access is granted. The extra step eliminates the risk of accidental approvals or attackers intercepting and relaying push notifications.

What “Number Matching” Actually Does

The mechanism Microsoft is deploying is known industry-wide as number matching. When a login attempt is initiated, the authentication service generates a short numeric code tied exclusively to that session. The same code appears both on the screen where you’re trying to sign in and inside the Authenticator app’s push notification after you’ve authenticated on the phone.

To complete the sign-in, the user must correctly enter the code they see on the external display into the Authenticator app. Only if the numbers match does the service approve the login. This simple handshake closes a gap that attackers have been exploiting for years. In the old tap-to-approve flow, a malicious actor who had already stolen a password could fire off repeated push notifications. If the target grew frustrated or tapped accidentally, the attacker gained access. With number matching, there’s nothing to tap—the attacker never sees the code, and the victim has no reason to enter a number unless they’re actually trying to log in.

The Phishing Attacks That Forced Microsoft’s Hand

Microsoft’s decision didn’t come out of nowhere. It’s a direct response to the rise of two potent attack vectors: MFA prompt bombing and adversary-in-the-middle (AiTM) phishing.

MFA prompt bombing, often called MFA fatigue, saw attackers flood users with endless push notifications after obtaining credentials from a data breach or a successful phishing email. Human nature being what it is, many users eventually approved one of them just to stop the interruptions. High-profile breaches, including the 2022 Uber incident, were traced back to exactly this technique.

Even more insidious are AiTM attacks. Evilginx and similar tools set up a proxy server between the victim and the legitimate login page. The proxy captures the password and the push notification response in real time, giving the attacker a live session token. Number matching defeats this because the attacker’s proxy cannot present the same two-digit code to the victim—the code is generated server-side and bound to the original URL the user should be visiting. If the number doesn’t match, the token is useless.

A Gradual Rollout with Enterprise Roots

Microsoft first introduced number matching for Azure Active Directory (now Microsoft Entra ID) tenants in May 2023. The feature started as opt-in, but Microsoft quickly signaled it would become mandatory. By early 2024, the option to disable number matching disappeared for most enterprise users, and it became the default experience for all work and school accounts using Microsoft Authenticator push notifications.

Now that same protection is migrating to the hundreds of millions of personal Microsoft accounts—the login you use for Outlook.com, OneDrive, Xbox, Microsoft 365 Family, and Windows itself. Microsoft hasn’t published a single global cutover date, so the change is appearing gradually. Users who have updated their Authenticator app in early 2025 are the first to see the new flow. Once the rollout reaches your account, there’s no opt-out; every push-based sign-in will require the two-digit code.

What Users See: The New Sign-In Flow

The updated experience is consistent across platforms. Suppose you’re setting up a new laptop and signing into your Microsoft account. After entering your password, the sign-in page pauses and displays a prominent two-digit number. At the same moment, your phone receives an Authenticator notification. You tap the notification, unlock the app with your fingerprint, face, or device PIN, and you’re presented with a numeric keypad and the instruction “Enter the number shown on the sign-in screen.” You type the two digits, tap “Yes” or “Submit,” and only then does the login proceed.

If you dismiss the notification or fail to enter the correct number within a short timeout, the sign-in attempt fails. There’s no fallback to a simple Approve button; the number is mandatory. This flow will feel familiar to anyone who has used number matching on a work account or with Google’s verification prompts, which have worked similarly for years.

Impact on Convenience and Accessibility

It’s undeniable that the new process adds a few seconds to every login and introduces a small cognitive load. Where before you might have glanced at your phone and thumbed an approval, you now must look at two screens and enter digits. For users who sign in frequently—switching between multiple Windows devices or accessing Outlook on the web multiple times a day—that friction could become noticeable.

However, Microsoft has preserved the biometric convenience. The number entry screen appears only after the user has already authenticated with a fingerprint or face scan. That means the majority of the security barrier is still passwordless and fast; the number matching is an additional anti-phishing check, not a replacement for the biometric step. If you use an iPhone with Face ID or an Android phone with a fingerprint sensor, unlocking the app remains seamless; you then just need to type two digits.

For users who cannot or prefer not to use an authenticator app, Microsoft continues to support SMS and voice call verification. But those methods carry their own well-documented security weaknesses, including SIM swapping and SMS interception. Microsoft strongly recommends the Authenticator app, and the push towards number matching reinforces that the app is the intended path for users who want robust, phishing-resistant MFA.

Why Enterprise Users Are Already Accustomed to This

If you use a Microsoft work or school account, you’ve likely been entering numbers for over a year. The enterprise rollout was met with some initial grumbling but quickly became business as usual. IT admins found that explaining the security rationale reduced user resistance, and the feature’s success in cutting successful phishing attacks has been backed by Microsoft’s own telemetry.

Bringing personal accounts into the fold closes a gaping hole. Many people use the same Microsoft Authenticator app for both work and personal identities. Having two different push behaviors for the same app created confusion and inconsistency. Now, whether you’re approving a corporate login or checking your personal Outlook, the authentication flow is identical. That uniformity simplifies user education and reduces the chance that a well-practiced routine will be exploited.

Under the Hood: How Number Matching Works Technically

From an engineering standpoint, number matching is an extension of the OAuth 2.0 device authorization grant flow, adapted for push-based MFA. When the user initiates a sign-in, Microsoft’s identity platform generates a cryptographically random two-digit number and binds it to the authentication session. This binding is stored securely and is valid only for a short window—typically less than 60 seconds.

The Authenticator app receives a push notification containing the session identifier but, crucially, not the bound number. The app displays a numeric keypad and prompts the user. Once the user enters the number, the app sends it back to the identity platform over an encrypted channel. The platform verifies that the number matches the one it generated for that specific session. If so, the login succeeds and the number binding is discarded.

This design means that even if an attacker can see the push notification arrive on a compromised network—for example, via a malicious proxy—they cannot force the user to enter the correct number because only the legitimate login page displays it. And because the number is tied to a single session, a replayed or guessed number won’t work for another session.

Potential Hiccups and What to Watch For

Any mandatory change invites hiccups. The two most common pain points are likely to be outdated app versions and confusion during the transition.

Outdated Authenticator apps. Microsoft Authenticator on your phone must be updated to a version that supports number matching. The feature has been present in the app’s code for well over a year, but older versions may not include it. Microsoft typically forces a client update for critical security features, so if you’ve allowed automatic updates or regularly update your apps, you should already be covered. However, users on very old phones that can no longer run a supported OS version (Android 8 or iOS 14 and earlier) may find that the Authenticator app no longer receives updates at all. For those users, SMS or a hardware security key might become the only viable MFA methods.

Transition confusion. As the rollout is staggered, some users will encounter the new number-entry prompt for the first time in a high-stress moment—like trying to log into an important account quickly. Seeing an unfamiliar screen and being asked to type digits with no prior notice could cause panic or lead to a mistaken belief that the account is compromised. Clear communication from Microsoft ahead of the change has been sparse; many users will only realize what’s happening when they see the new prompt. If you’re reading this, you’re now prepared, but the broader user base may need gentle reminders.

What This Means for Passwordless and the Bigger Security Picture

Microsoft’s long-term strategy is to eliminate passwords entirely. Microsoft Authenticator is a key pillar of that vision, already capable of acting as a FIDO2 authenticator for passwordless sign‑ins. With number matching now mandatory for both enterprise and personal push approvals, Authenticator moves another step closer to being a true phishing-resistant credential.

This change also aligns with broader standards. The FIDO Alliance and the US Cybersecurity and Infrastructure Security Agency (CISA) have long recommended that multi-factor authentication move beyond simple push notifications. Number matching is classified as a “phishing-resistant MFA” technique when combined with a trusted platform module or secure enclave, which modern smartphones have. For Microsoft, turning on number matching by default for all accounts is not just a security fix; it’s a signal that the company is serious about raising the baseline for consumer authentication to match the enterprise standard.

Expert Analysis: A Necessary Pain Point

Security researchers have been calling for the death of simple push approvals for years. “If you can tap to approve, so can an attacker who tricks you or wears you down,” said Roger Grimes, a well-known identity security expert (in a past commentary on MFA). The move to number matching is widely seen as the single most impactful change a service can make to stop real-time phishing. It doesn’t require any new hardware, doesn’t cost anything extra, and can be deployed as a server-side update with a corresponding app tweak.

While it’s true that even number matching isn’t invulnerable—a highly sophisticated attacker could theoretically relay the number if they have real-time access to both the victim’s password and a live session—the difficulty level spikes astronomically. Combined with the biometric step, it forces an attacker to either have physical possession of the user’s phone or to have malware running on the phone itself, which are much higher bars.

Advice for Microsoft Account Holders

If you manage one or more personal Microsoft accounts, the steps are straightforward:

  • Update Microsoft Authenticator immediately on all devices where it’s installed. Open the App Store or Google Play and check for pending updates.
  • Review your backup MFA methods. Make sure you have a backup email address or phone number configured in your Microsoft account security settings. Should you ever lose your phone, you’ll need a fallback.
  • Familiarize yourself with the new flow before you’re in a hurry. Open a private browser window and try signing into outlook.com to trigger the new prompt. Practice typing the number so it becomes muscle memory.
  • Consider passwordless sign-in. If you haven’t already, you can enable fully passwordless login for your Microsoft account. With passwordless enabled, you’ll sign in using a biometric on your phone and the number matching, completely side-stepping passwords—and the risks they bring.

The Bottom Line

Microsoft Authenticator’s tap-to-approve feature is officially dead for personal accounts. The two-digit number entry is now the only way to push-approve a sign-in. While the change adds a few seconds to each login, it slams the door on the simplest and most successful phishing attacks against Microsoft accounts. After more than a year of real-world testing in the enterprise, number matching has proven itself an effective, low-cost defense. Now, every Microsoft account holder gets the same protection.

The rollout will likely accelerate through 2025, and by year’s end, seeing a number on your screen during sign-in will feel as normal as the old Approve button once did. That’s a net win for security—and a rare case where a slightly less convenient user experience is entirely justifiable.