AuthQuake: Critical Flaw in Microsoft 2FA Allowed Silent Account Takeovers

Microsoft has addressed a critical vulnerability in its two-factor authentication system that allowed threat actors to bypass protections and gain unauthorized access to user accounts without their knowledge. The issue, dubbed AuthQuake, was identified by researchers at Oasis Security and resolved in October 2024.

According to the researchers, the bypass required approximately one hour to execute, did not necessitate user interaction, and generated no system alerts. The vulnerability stemmed from the absence of restrictions on the number of attempts to input a one-time code, coupled with an extended time window for code validation.

Microsoft’s authentication system relies on six-digit codes generated by an authenticator, which are valid for 30 seconds. However, due to time synchronization quirks, these codes remained active for up to three minutes, enabling attackers to perform multiple brute-force attempts within the expanded window.

The core attack method involved systematically testing all possible code combinations—up to one million variants—within a short timeframe. Crucially, victims received no notifications about the failed login attempts.

To mitigate such attacks, Microsoft has implemented stricter input attempt limits. Now, after several unsuccessful attempts, the account may be locked for up to 12 hours. Oasis Security experts emphasized that alongside input restrictions, alerts about suspicious activities remain a vital component of robust security measures.

AuthQuake serves as a stark reminder that even advanced security systems require continuous testing and refinement to counter evolving threats.