Vulnerability in Microsoft’s MFA could wreak havoc on organisations, says security expert

It’s a bit like “taking a room key for a building and turning it into a skeleton key that works on every door in the building,” explained a blog on the Okta REX website.

To exploit the vulnerability, either an internal actor, such as a disgruntled employee, or an operator of a phishing campaign that can obtain the credentials of several users, can gain access to critical systems.

>See also: Is multi-factor authentication finally picking up speed?

The weakness was found in the MFA protocol for the authentication system – Active Directory Federated Services (ADFS) – which can function as an organisational gatekeeper.

The Security Engineer, Andrew Lee, who discovered the vulnerability, explained: “A weakness in the Microsoft ADFS protocol for integration with MFA products allows a second factor for one account to be used for all other accounts in an organisation.”

>See also: The cure for compromised credentials: what to consider when …

MFA – multi-factor identification – is a multi-layered approach to confirming a user’s identity. It can confirm a user’s identify by, for example, combining questions relating to something a user knows, something they have and something they are.

According to Lee, however, “by exploiting a weakness in the MFA protocol for Microsoft’s authentication system, if a single user’s password and second factor are compromised, their second factor can be used in place of anyone else’s in the organisation.”

>See also: What challenges do engineering-orientated CTO’s encounter …

After being notified about the vulnerability and independently validating it, Microsoft produced a patch to address it. Okta says that organisations running Microsoft ADFS are advised to patch their systems.

According to Okta REX, more than 80% of today’s breaches leveraged either stolen and/or weak passwords. It said that “this vulnerability is particularly viable for insider threat actors who can easily spearphish unsuspecting members of their organization, whether it’s a direct colleague, supervisor, or even senior executives.”

Avatar photo

Andrew Ross

As a reporter with Information Age, Andrew Ross writes articles for technology leaders; helping them manage business critical issues both for today and in the future

Related Topics

Data Breaches