AuthQuake: How Attackers Bypassed Microsoft’s MFA with Ease

Cybersecurity researchers have discovered a critical flaw in Microsoft’s multi-factor authentication (MFA) system. The vulnerability, called AuthQuake, allowed attackers to bypass MFA protections and access accounts without much effort.

Oasis Security researchers Elad Luz and Tal Hason explained the issue:

• It took only about an hour to exploit.
• It required no user interaction.
• It sent no alerts or warnings to account holders.

The root of the problem? Microsoft’s system lacked rate limiting and used an extended time window to validate six-digit, time-based one-time passwords (TOTPs). Normally, TOTPs rotate every 30 seconds, but Microsoft’s implementation accepted codes for up to 3 minutes. This extended period gave attackers more time to brute-force combinations without triggering alarms.

Here’s how it worked:

1. Attackers could rapidly test all possible six-digit codes (1 million combinations).
2. The lack of a rate limit allowed repeated attempts without a lockout.
3. Victims remained unaware of the failed login attempts.

Rate limits are crucial. They stop repeated brute-force attempts and can trigger account locks after too many failures. Without these safeguards, MFA protections weaken significantly.

Following responsible disclosure, Microsoft fixed the issue in October 2024 by enforcing stricter rate limits. Now, too many failed attempts will trigger a cooldown lasting roughly half a day.

James Scobey, Chief Information Security Officer at Keeper Security, emphasized the lesson:
“Security isn’t just about enabling MFA. It must be configured properly. Rate limits, failed login notifications, and account locks are not optional – they’re essential to spot and stop suspicious activity early.”

While MFA remains a powerful tool, this vulnerability highlights that even strong defenses can fail if implemented carelessly.