Cybersecurity specialists have unearthed a critical flaw within Microsoft’s multi-factor authentication (MFA) framework, enabling attackers to effortlessly circumvent its safeguards and infiltrate a user’s account undetected.
“The exploitation was alarmingly straightforward: it required approximately one hour, demanded no engagement from the user, and failed to generate alerts or notify the account owner of any compromise,” revealed Oasis Security researchers Elad Luz and Tal Hason in a detailed analysis shared with The Hacker News.
The vulnerability, dubbed AuthQuake, was responsibly disclosed to Microsoft and subsequently mitigated in October 2024.
A Deeper Look into the Flaw
Microsoft’s MFA system supports diverse methods of verification, one of which includes inputting a six-digit passcode generated by an authenticator application after providing login credentials. This method allows up to ten consecutive failed attempts per session.
Oasis Security’s discovery pinpointed a systemic shortfall: the absence of a rate limit combined with an extended validation period for one-time codes. This deficiency empowered attackers to generate an exponential number of login sessions and methodically test all possible six-digit combinations (one million permutations) without triggering alerts or notifying the legitimate user of the intrusion attempts.
These codes, known as time-based one-time passwords (TOTPs), rely on the current time as a seed to generate their unique values. Ordinarily, a TOTP is valid for roughly 30 seconds before it rotates. However, the researchers observed a concerning anomaly.
Extended Time Window Exploitation
“Due to potential discrepancies in timing between the user’s device and the validator, the system is designed to accept a more generous timeframe for code validation,” explained Oasis Security. “In practical terms, this means a single TOTP might remain valid well beyond the standard 30-second window.”
In Microsoft’s case, Oasis discovered that the codes could be accepted for as long as three minutes. This expanded validity enabled a malevolent actor to orchestrate simultaneous brute-force attempts to crack the six-digit passcode during the prolonged interval.
The Imperative for Proper Safeguards
“Implementing rate limits and ensuring their correct application is paramount,” the researchers asserted. “However, even robust rate limits may prove insufficient. Failed attempts must also trigger automatic account locking mechanisms to fortify defenses.”
Microsoft has since introduced more stringent rate-limiting protocols, which activate after repeated failed attempts, and instituted an extended lockout duration of approximately 12 hours.
Expert Commentary on Broader Implications
James Scobey, Chief Information Security Officer at Keeper Security, emphasized the broader lessons from the AuthQuake debacle:
“The discovery of this vulnerability underscores a vital truth: security doesn’t end with simply deploying MFA. Proper configuration and thoughtful implementation are essential. Rate limiting to thwart brute-force efforts and proactive notifications for failed login attempts are indispensable. These mechanisms enhance visibility, empowering users to detect anomalous activities promptly and respond effectively.”
The AuthQuake vulnerability serves as a stark reminder that even robust security measures like MFA can be undermined without vigilant implementation. While Microsoft has addressed the issue, the episode underscores the importance of evolving cybersecurity practices to stay ahead of increasingly sophisticated threats.