AuthQuake: Microsoft's MFA system vulnerable to TOTP brute force attack

This flaw, dubbed "AuthQuake," exposes a fundamental weakness that affected more than 400 million Office 365 users, potentially granting unauthorized access to Outlook emails, OneDrive files, Teams chats, Azure Cloud resources, and more.‍

Note: WorkOS is not currently, and has never been, affected by the following vulnerability.

‍The discovery of AuthQuake demonstrates how even major technology providers can overlook critical security flaws in authentication systems.

When you're finished reading this post, you'll understand:

• How AuthQuake exploits Microsoft's MFA implementation
• The technical details behind the vulnerability
• Why traditional TOTPs may no longer be sufficient for secure authentication
• How organizations can protect themselves

Understanding the AuthQuake vulnerability

The vulnerability, discovered by Oasis Security's research team in June 2024, centers on two critical weaknesses in Microsoft's MFA implementation:

First, the system lacks proper rate limiting, allowing attackers to make multiple consecutive attempts without triggering security measures. These attempts generate no notifications or alerts to the account owner, making this a particularly stealthy attack vector.

Second, the TOTP codes remain valid for approximately 3 minutes – significantly longer than the standard 30-second window. This extended validity period, while intended to accommodate time synchronization issues and network delays, creates a much larger window of opportunity for attackers.

The technical breakdown

When implementing TOTP systems, there's always a balance between security and usability. Time synchronization issues between the authenticator app and the server, along with network delays in transmitting the code, can create legitimate scenarios where a technically "expired" code needs to be accepted to prevent valid authentication attempts from failing.

However, Microsoft's implementation extended this grace period well beyond typical industry standards. While the RFC-6238 TOTP guidelines recommend allowing at most one additional 30-second time step for network delays, Microsoft's system was found to accept codes for approximately 3 minutes after their initial generation.

This extended window, combined with the lack of rate limiting, created an exploitable vulnerability.

The Oasis Security research team demonstrated that this combination of factors gives an attacker a 3% chance of guessing the correct code within a single validity window. After running multiple sessions over approximately 70 minutes, the probability of a successful breach exceeds 50%.

The team successfully validated this attack method multiple times, gaining unauthorized access to test accounts without triggering any security alerts.

Protecting your organization

In light of AuthQuake, organizations should take immediate steps to strengthen their authentication systems:

Move beyond traditional TOTPs

Traditional TOTPs, while better than password-only authentication, have shown their limitations. Device-bound credentials represent a more secure alternative because they create a unique cryptographic key pair where the private key never leaves the user's device. Unlike TOTPs, which can be intercepted or phished, device-bound credentials require the actual physical device to complete the authentication process.

This makes them inherently phishing-resistant since an attacker cannot simply capture and replay the credentials. For example, when using WebAuthn/FIDO2 standards, each authentication attempt requires a fresh cryptographic challenge-response exchange between the device and the server.

Even if an attacker intercepts this exchange, they cannot use it to authenticate later because each challenge is unique and tied to that specific session.

Implement proper monitoring and alerts

If you must continue using TOTPs, ensure your implementation includes:

• Strong rate limiting across all authentication attempts
• User notifications for suspicious activity patterns
• Immediate lockouts after threshold violations
• Comprehensive logging of all authentication attempts

Consider third-party authentication providers

Working with specialized authentication providers can help ensure:

• Industry best practices are followed
• Security measures are regularly updated
• Vulnerabilities are quickly patched
• Compliance requirements are met

The responsible disclosure process

Upon discovering the vulnerability on June 24, 2024, the Oasis Security research team promptly reported it to Microsoft through their responsible disclosure program. Microsoft acknowledged the issue immediately and deployed a temporary fix on July 4, 2024, followed by a permanent solution on September 10, 2024. The fix implemented stricter rate limiting that remains in effect for approximately 12 hours after detecting suspicious authentication patterns.

Moving forward

AuthQuake serves as a critical reminder that even well-established authentication methods can harbor serious vulnerabilities when implemented incorrectly.

As organizations continue to rely heavily on remote access and digital resources, the security of authentication systems becomes increasingly critical. The incident particularly highlights the importance of:

• Regular security audits of authentication systems
• Strict adherence to security best practices
• Rapid adoption of stronger, phishing-resistant authentication methods
• Clear incident response procedures