Hello everyone,
Today, I read an article that was both unsettling and eye-opening at the same time. The Oasis Security research team uncovered a way to bypass Microsoft’s Multi-Factor Authentication (MFA). I always thought MFA was pretty secure. Typically, the MFA code consists of 6 digits, and users are allowed up to 10 failed attempts per session. But the researchers thought outside the box. They created multiple sessions rapidly after another, giving them many more attempts than the standard 10 per session. With 10^6 possible combinations for each session, they were able to significantly increase their chances of cracking the MFA code.
Normally, MFA codes are valid for only 30 seconds, but due to potential time differences and delays, Microsoft extended this window to 2.5 minutes. This allowed the researchers to make 6 additional attempts per session. According to their report, it took around 70 minutes to complete 24 sessions, with a success rate of 50%.
The flaw seems to have been addressed before the article was published. The researchers suggested adding email alerts for failed MFA attempts. Currently, the Microsoft Authenticator app only shows failed attempts for real-time MFA requests, not historical failed login attempts. In conclusion, the best security is a strong password, with a mix of uppercase and lowercase letters, numbers, and symbols. Avoid using dictionary words or personal information visible on your social media. Try to mix everything up and add MFA. While no security measure is 100% foolproof, it's always better to make it as hard as possible for attackers to breach your accounts.