Microsoft's multi-factor authentication cracked
Using brute force:
Researchers crack Microsoft's multi-factor authentication
Parallel sessions enabled the research team to make an unlimited number of incorrect entries. Access was often gained within just one hour.
Security researchers from Oasis Security have found a way to bypass multi-factor authentication (MFA), which Microsoft has implemented for access to services such as Outlook, Onedrive, Teams or the Azure Cloud, with comparatively little time and without any user interaction. As the researchers explain in a blog post, they carried out a brute force attack on the 6-digit MFA codes that are requested when logging in.
These TOTP codes(Time-based One-time Password) are requested as an additional authentication factor after entering a valid email address and the corresponding user password. Users receive these codes from the respective Authenticator apps that they have linked to the Microsoft login service.
The codes are regenerated on a regular basis, with recommended intervals of 30 seconds in accordance with RFC-6238. As a rule, however, previous TOTP codes are not invalidated immediately after the change, but are accepted for a little longer to compensate for possible time lags and delays. According to the researchers, the total validity period of the individual codes at Microsoft was three minutes.
Flood of requests with parallel sessions
The research team explains that up to 10 incorrect entries are permitted per session. However, this limit could be circumvented by creating multiple parallel sessions, so that many input attempts could be made simultaneously. " During this period, account owners received no warning about the large number of failed attempts, making this vulnerability and attack technique dangerously inconspicuous," the report states.
The 6-digit numeric codes have a maximum of one million possible combinations. For their methodology, the researchers determined a probability of three percent of guessing an MFA code within its validity period. With 24 such attacks in succession (duration: around 70 minutes), the probability increases to over 50 percent, according to the data.
The research team claims to have successfully carried out the attack several times. Access was often achieved within just one hour. The researchers reported their observations to Microsoft. According to the report, there was initially a temporary fix in July and a permanent solution since October. According to Oasis Security, Microsoft introduced a "much stricter rate limit", although no further details are given.