Recently, Oasis Security disclosed a new vulnerability dubbed AuthQuake. This vulnerability exploits a weakness in Microsoft's multi-factor authentication (MFA) system, allowing attackers to bypass time-bound one-time passcodes (TOTP) to gain unauthorized access to user accounts. While not a sophisticated attack, AuthQuake highlights the importance of phishing-resistant MFA as the foundational piece of a defense in depth strategy.

‍

What is AuthQuake?

AuthQuake is essentially a variation of a brute force attack targeting time-based one-time passwords (TOTPs), a commonly used fa. Brute force attacks typically involve systematically trying different combinations of numbers, or characters in the case of passwords, until the correct one is found.

The AuthQuake exploit takes advantage of several flaws in Microsoft's MFA implementation:‍

• ‍Lack of Rate Limiting: The system allowed for multiple consecutive failed login attempts without triggering any security measures or alerting the account owner. This enabled attackers to rapidly submit numerous guesses, increasing the likelihood of hitting the correct code.‍
• Extended Timeframe for Code Validity: TOTP codes are designed to be valid for a short period, typically 30 seconds. However, Microsoft's implementation allowed for a much wider window of validity – around 3 minutes – due to potential time discrepancies and delays. This extended timeframe further amplified the effectiveness of the brute force attack.

By combining these vulnerabilities, attackers were able to bombard the system with guesses until the correct code was entered. The extended code validity timeframe gave them ample opportunity to hit the correct code before it expired. The Oasis Security Research team demonstrated that with this method, an attacker had a 3% chance of guessing the correct code within the extended timeframe. After 24 sessions (approximately 70 minutes), the probability of success rose to over 50%.

How to defend against AuthQuake

While Microsoft has implemented fixes to address the specific vulnerabilities exploited by AuthQuake, the attack underscores the inherent weakness of TOTP as a security measure. To truly defend against such attacks, a more robust approach is needed. Here are some key recommendations:

• Deprecate use of TOTPs and phishable authentication factors: Your defense is only as strong as your weakest factor. TOTPs, being phishable and vulnerable to brute force attacks, are considered a weak form of MFA. Organizations should move towards stronger, more secure alternatives that are phishing-resistant.
• ‍Implement strong phishing-resistant, device-bound credentials: Instead of relying on guessable passwords and codes, utilize credentials that are uniquely tied to the user's device and does not fallback to shared secrets (knowledge factors). Device-bound passkeys inherently resistant to brute force attacks. ‍
• Leverage Microsoft's External Authentication Methods (EAM): Microsoft has introduced a feature that allows authentication delegation to third-party identity providers that can provide high assurance MFA. This provides organizations with the flexibility to leverage more secure authentication methods to protect their resources.

The AuthQuake vulnerability serves as a stark reminder that access security cannot rest on weak foundations. MFA was originally introduced to protect against weak passwords but without the proper implementation of MFA, bad actors can still gain unauthorized access.

About Beyond Identity

Beyond Identity provides phishing-resistant MFA using device-bound, hardware-backed passkeys with verifier impersonation resistance by default. What’s more, we never fall back to weak factors for authentication to ensure that your systems stay protected with high assurance authentication.

If you want learn more about our security guarantees, visit our Guarantees page. Or if seeing is believing for you, get a demo of our secure access platform.