Microsoft Authenticator Now Requires Manual Number Entry for Personal Account Logins

Microsoft has started rolling out a new Microsoft Authenticator sign-in experience that requires users to manually enter a two-digit number during login, adding an extra layer of protection against accidental approvals and MFA fatigue attacks, according to Windows Central.

How the new Microsoft Authenticator sign-in process works

Previously, users logging in with Microsoft Authenticator could approve a sign-in request by selecting one of three displayed number options. Under the new system, users must type the two-digit code shown on the login screen directly into the Authenticator app before access is granted.

The change first appeared for enterprise and education accounts but is now beginning to reach personal Microsoft accounts as well. The rollout appears to be gradual, meaning some users may not see the updated prompt immediately.

Why Microsoft is making this change

Microsoft’s move comes as attackers increasingly rely on so-called MFA fatigue attacks. In these attacks, threat actors repeatedly send authentication prompts to victims in the hope that they eventually approve one by mistake.

Accidental approvals can also occur when users tap the wrong option or interact with their device unintentionally. By requiring manual number entry, Microsoft reduces the likelihood of these errors and makes unauthorized access attempts more difficult.

The updated authentication flow adds a small extra step to the login process, but it significantly improves security by ensuring users actively verify each sign-in request.

While the change may seem minor compared to larger authentication updates, it reflects Microsoft’s broader effort to move users toward stronger account protection methods. Earlier this year, the company began phasing out SMS authentication for personal Microsoft accounts in favor of more secure alternatives.

The new number-entry requirement is expected to make Microsoft Authenticator more resistant to common social engineering and prompt-spamming attacks while maintaining a relatively simple user experience.

In other news, Microsoft recently confirmed that a patch for the RougePlanet zero-day exploit is currently in development.