Multi-Factor Authentication Fail: Single MFA Token Used to Gain Access to All Accounts

Multi-factor authentication can help to secure accounts and protect against phishing attacks. If a correct username and password combo is obtained, without the second factor (E.g. SMS message, token, device, or email address) the account cannot be accessed.

As the recently discovered data breach at Reddit demonstrated, multi-factor authentication is not a silver bullet. Reddit used SMS messages to a user’s mobile phone as the second factor, but for one employee the SMS message was intercepted and used to gain access to an account and a database of user’s credentials.

There have been many data breaches reported where multi-factor authentication failed to stop account access, although a recently discovered vulnerability has made bypassing multi-factor authentication far easier.

Andrew Lee of Okta discovered a vulnerability in Microsoft’s Active Directory Federation Services (ADFS) with allows MFA to be bypassed on all accounts using a single MFA token. If a username and password is known, an account can be accessed even without the MFA token for that account.

The vulnerability affects all businesses that use ADFS to manage identities and resources, and third-party MFA vendors that provide an agent for ADFS to MFA.

All that is required is a username, password, and valid MFA token for one account. By exploiting the vulnerability that MFA token can be used to access a second account on the same Active Directory service if the username and password is known. Those credentials could easily be obtained through phishing.

This vulnerability would be easiest to exploit by an employee who would already have a username, password and MFA token.

The reason this is possible is because ADFS was not checking to make sure that the credentials entered matched the MFA token. During authentication, the server sends an encrypted context log which is correctly signed and encrypted. That log contains the MFA token, but not the username, so it is not possible to check that the token is being used by the correct person.

Lee said the flaw is simple to correct. Microsoft would only need to include the username in the signed data of the MFA context log.

The correction has now been made. Microsoft patched ADFS and corrected the flaw in its Patch Tuesday updates on August 14. All companies are being urged to apply the patch as soon as possible to correct the MFA flaw.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of