The Oasis research team showed that by rapidly creating new sessions and enumerating codes, attackers could attempt combinations at a high rate, quickly exhausting all one million possible 6-digit codes. During these attack attempts, account owners received no alerts about the numerous failed attempts, making this vulnerability highly stealthy and dangerous.
“The recent discovery of the AuthQuake vulnerability in Microsoft’s Multi-Factor Authentication (MFA) serves as a reminder that security isn’t just about deploying MFA – it must also be configured properly,” said James Scobey, chief information security officer at Keeper Security. “While MFA is undoubtedly a powerful defense, its effectiveness depends on key settings, such as rate limiting to thwart brute-force attempts and user notifications for failed login attempts.”
Extended timeframe adds icing on the top
Authenticator app codes follow time-based one-time-password (TOTP) guidelines, generating a new code every 30 seconds, with a slight extension allowing for time discrepancies between users and validators.