The Oasis research team has shown that by quickly creating new times and counting codes, attackers can try combinations at a high rate, quickly eliminating all 1 million possible 6-digit codes. During these attack attempts, account holders did not receive warnings about the many failed attempts, making this vulnerability very slippery and dangerous.
“The recent discovery of the AuthQuake vulnerability in Microsoft’s Multi-Factor Authentication (MFA) serves as a reminder that security is not just about deploying MFA – it must also be configured properly,” said James Scobey, chief information security officer at Keeper Security. . “Although MFA is undoubtedly a powerful protection, its effectiveness depends on important settings, such as limiting the level of thwarting of brute force attempts and user notifications for failed login attempts.”
Extended time adds a layer of snow on top
Authentication app codes follow one-time password (TOTP) guidelines, generating a new code every 30 seconds, with a small extension that allows for time differences between users and verifiers.
Source link