Microsoft MfA Flaw: Million Attempts in 3 Minutes

In a recent security update, Microsoft has revealed that they have successfully patched a vulnerability in their two-factor authentication system that could have potentially exposed users to unauthorized access. The flaw, named Authquake, was discovered by experts at Oasis Security and was resolved in October 2024.

According to reports from the researchers, the bypass method allowed attackers to circumvent the security measures in about an hour without triggering any alerts or notifications to the user. The vulnerability stemmed from a lack of restrictions on the number of attempts to enter a disposable code and an extended timeframe for validation.

Microsoft typically employs six-digit authentication codes that are valid for 30 seconds. However, due to synchronization issues, the codes remained active for up to three minutes, giving malicious actors ample time to guess the correct combination through multiple attempts.

The primary method of attack involved trying all possible code combinations (up to a million options) within a short timeframe. Despite numerous failed attempts, the victim would not be alerted to any suspicious activity.

To address this issue, Microsoft has implemented stricter limitations on the number of login attempts to prevent such attacks. Now, after a few unsuccessful tries, users may face a temporary lockout period of up to thirty minutes. Experts at OASIS emphasize the importance of not only setting restrictions but also enabling notifications for any unusual or potentially malicious activities.

The incident serves as a reminder that even robust security systems require continuous testing and adjustment to mitigate evolving cyber threats.

/Reports, release notes, official announcements.