Microsoft Fixes Security Flaw in MFA Implementation,Attackers to Attempt Over a Million Logins in Short Order

Please note: The vulnerability discussed in this article may not be related to the recent surge of failed login attempts and numerous login requests experienced by Microsoft account holders and users of the Microsoft Authenticator. The descriptions of the incidents do not align.

Researchers at Oasis Security recently disclosed a significant vulnerability, dubbed AuthQuake, in Microsoft's implementation of Multi-Factor Authentication (MFA). The disclosure comes after the flaw was reported to Microsoft in June, and the company has since remedied the issue.

This vulnerability allowed attackers to bypass security measures and gain access to victims' accounts with alarming ease. The bypass could be completed in about an hour without any interaction from the user, generating no notifications nor alerts of failed login attempts to the account owner.

Microsoft's MFA system involves a 6-digit TOTP (Time-Based One-Time Password), which usually rotates every 30 seconds. Under normal circumstances, a code older than 30 seconds would be invalid.

However, the platform may extend the validity period of these codes beyond 30 seconds to accommodate network delays and user response times. Microsoft set this period to three minutes, not thirty seconds, marking the first issue.

The second issue arises from Microsoft's security policy, which allows up to 10 consecutive login attempts in a single session before locking the session. However, this policy lacked rate limiting for one-time passwords, combined with the extended time intervals.

Researchers demonstrated that by quickly initiating new sessions, they could enumerate and attempt brute-force attacks with up to a million common passwords without triggering any failed login alerts to the user.

After reporting the vulnerability, Microsoft worked with the researchers to implement a fix in September, including stricter rate limiting that locks out attackers after several failed attempts for half a day.

While the researchers are not yet ready to reveal full details of the vulnerability, the issue has been resolved, and detailed disclosures and exploitation processes are expected to be shared with the cybersecurity community for further study.