Microsoft MFA Vulnerability Allows Unlimited Brute-Force Attempts
/ 1 min read
🔓 Critical vulnerability discovered in Microsoft’s multi-factor authentication system. Cybersecurity researchers from Oasis Security have identified a significant flaw, dubbed AuthQuake, in Microsoft’s MFA implementation that allows attackers to bypass security measures and gain unauthorized access to user accounts without detection. The vulnerability stems from inadequate rate limiting and an extended validation time for one-time codes, enabling attackers to execute brute-force attempts over a longer period. Microsoft has since addressed the issue by enforcing stricter rate limits and account lockouts after multiple failed attempts. Experts emphasize that while MFA is a strong security measure, its effectiveness relies on proper configuration, including rate limits and user notifications for suspicious activities.
