Microsoft’s MFA is so strong, it locked out users for 8 hours | Cyber Security
On 19 November at 04:39 UTC (23:39 EST), Microsoft Office 365 and Azure Active Directory users started reporting that they were unable to access the multi-factor authentication (MFA) system or reset passwords, locking them out of their accounts.
When Microsoft’s cloud authentication is working correctly, users should be able to authenticate their username and password credentials via text message, phone call, app verification code, or push request.
This, it turned out, was no mere hiccup, with problems for users across Europe, Asia-Pacific and the Americas continuing for at least eight hours – a long time for users to be unable to log into such an important business platform.
Microsoft eventually offered an explanation:
Preliminary root cause: A recent update to the MFA service introduced a coding issue that prevented users from being able to sign in or carry out self-service password resets when using MFA for authentication.
Twitter complaints soon rolled in on a scale ranging from annoyed to angry:
Which is to say, admins couldn’t even temporarily turn off MFA for users as they were locked out by the same issue.
In theory, only organisations hosting Azure MFA on their own servers rather than through Microsoft’s infrastructure would have been unaffected by this.