Silent MFA Killer: Microsoft’s AuthQuake Bug Let Hackers Bypass Security Undetected

Silent MFA Killer: Microsoft's AuthQuake Bug Let Hackers Bypass Security Undetected

Critical Security Flaw in Microsoft’s MFA System Now Patched

A major security vulnerability in Microsoft’s Multi-Factor Authentication (MFA) system, named “AuthQuake,” was recently discovered by Oasis Security researchers. The flaw, which allowed attackers to bypass MFA protections without detection, has been patched in October 2024.

The vulnerability stemmed from two critical weaknesses in Microsoft’s six-digit authenticator app verification process: insufficient rate limiting for authentication attempts and an unusually long validation window for time-based one-time passwords (TOTPs).

Technical Analysis:
– TOTPs remained valid for 3 minutes instead of 30 seconds
– Attackers could attempt all possible six-digit combinations (1 million)
– Multiple concurrent sessions enabled brute-force attempts
– System permitted 10 consecutive failed attempts per session

Microsoft’s Security Fix:
– Implemented strict rate limiting after failed attempts
– Extended lockout period to 12 hours

Security experts stress that while MFA remains a crucial security measure, proper configuration is essential. Key security features should include effective rate limiting, user notifications for failed attempts, and robust account lockout mechanisms.

This incident underscores the importance of continuous security monitoring and proper implementation of authentication systems.

Share This Article