Yet, another reason to move away from six-digit MFA codes. We all know the drill: strong passwords are essential, and enabling multi-factor authentication (MFA) adds an extra layer of protection to our online accounts. But what happens when even an MFA can be cracked?

That's the unsettling question raised by a recent discovery by security researchers at Oasis Security. They found a critical flaw in Microsoft Azure MFA that allowed them to bypass security measures and gain unauthorized access to a user's account in about an hour. This vulnerability, nicknamed "AuthQuake," had the potential to affect the vast number of Microsoft 365 users.

It turns out that Microsoft Azure lacked a rate limit for failed MFA sign-in attempts. This meant an attacker could bombard the system with countless guesses for the MFA code and cycle through all 1 million possible six-digit combinations.

To make matters worse, the researchers discovered that the system gave them a longer window to guess the code than security best practices recommend. This gave them a significantly higher chance of cracking the code through sheer persistence.

While Microsoft has since fixed this vulnerability, the incident highlights a crucial point: no security system is foolproof. Even MFA, which is widely considered a robust security measure, can have weaknesses.

Takeaway:

• Change your passwords regularly. This age-old advice remains relevant, even with MFA in place.
• Be alert for any unusual activity on your accounts. Pay attention to notifications about failed login attempts.
• Where possible, consider using an authenticator app for MFA. This method is generally more secure than receiving codes via email or SMS.

This research serves as a reminder that cybersecurity is an ongoing battle. While companies work to patch vulnerabilities, we must stay vigilant.

*** This is my last post in 2024. Happy Holiday Season to you and your family. More to come in 2025. ***

#ALTACyber

------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------

Good information Genaday, Thanks.  Here's a similar article on MFA:  Feds issue another warning about texting dangers - the scary reason to stop using two-factor authentication now  

------------------------------
John Doyle
Intellicheck
Melville NY
[email protected]
------------------------------

Original Message:
Sent: 12-20-2024 08:56
From: Genady Vishnevetsky
Subject: Security BUZZ - That Extra Layer of Security Might Not Be Enough

Yet, another reason to move away from six-digit MFA codes. We all know the drill: strong passwords are essential, and enabling multi-factor authentication (MFA) adds an extra layer of protection to our online accounts. But what happens when even an MFA can be cracked?

That's the unsettling question raised by a recent discovery by security researchers at Oasis Security. They found a critical flaw in Microsoft Azure MFA that allowed them to bypass security measures and gain unauthorized access to a user's account in about an hour. This vulnerability, nicknamed "AuthQuake," had the potential to affect the vast number of Microsoft 365 users.

It turns out that Microsoft Azure lacked a rate limit for failed MFA sign-in attempts. This meant an attacker could bombard the system with countless guesses for the MFA code and cycle through all 1 million possible six-digit combinations.

To make matters worse, the researchers discovered that the system gave them a longer window to guess the code than security best practices recommend. This gave them a significantly higher chance of cracking the code through sheer persistence.

While Microsoft has since fixed this vulnerability, the incident highlights a crucial point: no security system is foolproof. Even MFA, which is widely considered a robust security measure, can have weaknesses.

Takeaway:

• Change your passwords regularly. This age-old advice remains relevant, even with MFA in place.
• Be alert for any unusual activity on your accounts. Pay attention to notifications about failed login attempts.
• Where possible, consider using an authenticator app for MFA. This method is generally more secure than receiving codes via email or SMS.

This research serves as a reminder that cybersecurity is an ongoing battle. While companies work to patch vulnerabilities, we must stay vigilant.

*** This is my last post in 2024. Happy Holiday Season to you and your family. More to come in 2025. ***

#ALTACyber

------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------