Cybersecurity researchers have flagged a “critical” security vulnerability in Microsoft’s multi-factor authentication (MFA) implementation that allows an attacker to trivially sidestep the protection and gain unauthorized access to a victim’s account.
“The bypass was simple: it took around an hour to execute, required no user interaction and did not generate any notification or provide the account holder with any indication of trouble,” Oasis Security researchers Elad Luz and Tal Hason said in a report shared with The Hacker News.
Following responsible disclosure, the issue – codenamed AuthQuake – was addressed by Microsoft in October 2024.
While the Windows maker supports various ways to authenticate users via MFA, one method involves entering a six-digit code from an authenticator app after supplying the credentials. Up to 10 consequent failed attempts are permitted for a single session.
The vulnerability identified by Oasis, at its core, concerns a lack of rate limit and an extended time interval when providing and validating these one-time codes, thereby allowing a malicious actor to rapidly spawn new sessions and enumerate all possible permutations of the code (i.e., one million) without even alerting the victim about the failed login attempts.
It’s worth noting at this point that such codes are time-based, also referred to as time-based one-time passwords (TOTPs) wherein they are generated using the current time as a source of randomness. What’s more, the codes remain active only for a period of about 30 seconds, after which they are rotated.
“However, due to potential time differences and delays between the validator and the user, the validator is encouraged to accept a larger time window for the code,” Oasis pointed out. “In short, this means that a single TOTP code may be valid for more than 30 seconds.”
In the case of Microsoft, the New York-based company found the code to be valid for as long as 3 minutes, thus opening the door to a scenario where an attacker could take advantage of the extended time window to initiate more brute-force attempts simultaneously to crack the six-digit code.
“Introducing rate-limits and making sure they are properly implemented is crucial,” the researchers said. “Rate limits might not be enough, in addition – consequent failed attempts should trigger an account lock.”
Microsoft has since enforced a stricter rate limit that gets triggered after a number of failed attempts. Oasis also said the new limit lasts around half a day.
“The recent discovery of the AuthQuake vulnerability in Microsoft’s Multi-Factor Authentication (MFA) serves as a reminder that security isn’t just about deploying MFA – it must also be configured properly,” James Scobey, chief information security officer at Keeper Security, said in a statement.
“While MFA is undoubtedly a powerful defense, its effectiveness depends on key settings, such as rate limiting to thwart brute-force attempts and user notifications for failed login attempts. These features are not optional; they are critical for enhancing visibility, allowing users to spot suspicious activity early and respond swiftly.”