New vuln in Microsoft Active Directory lets attackers bypass multi-factor authentication

Okta found a vulnerability in Microsoft’s popular identity management directory that could let a hacker circumvent multi-factor authentication.
Microsoft Active Directory
(Flickr user <a href="">Thomas Hawk</a> / CC-BY-2.0)

A vulnerability in Microsoft’s popular identity management directory could let an attacker breach multiple employee accounts in an organization by circumventing multi-factor authentication, according to new research from identity security company Okta.

The directory in question is Microsoft’s Active Directory Federation Services (ADFS), which allows business partners from different organizations to sign in to shared web applications. A weakness in the multi-factor authentication protocol for ADFS means that a hacker equipped with a user’s password and second “factor,” such as an SMS message, could use that factor in place of any other employee’s in the organization, according to Okta. To breach another user in the organization, the hacker would need access to his or her user name and password on the same ADFS service.

“Simply put, if just one employee in a global company wanted to – or if a bad actor compromised the account of one employee – they could do a lot of harm by compromising unsuspecting colleagues, senior executives, or even the CEO with this vulnerability,” wrote Matias Brutti, Okta’s director of research and exploitation.

Microsoft has released a patch for the vulnerability. Given that ADFS is “a legacy, on-premises solution, customers and IT administrators are strongly encouraged to stay on their toes and patch their systems to ensure the security of their organizations,” Brutti wrote.


In a blog post, Andrew Lee, the Okta security engineer who found the vulnerability, likened its exploitation “to turning a room key into a master key for every door in the building – but in this building, each door has a second lock that accepts a passcode.”

The vulnerability stems from a “failure to cryptographically enforce the integrity and authenticity of relationships between the two pieces of identity — the primary credentials and the second factor,” Lee wrote.

Information security professionals have weighed in on the merits of two-factor authentication via SMS following the breach in June of Reddit, one of the world’s most popular websites. Hackers compromised the accounts of several Reddit employees by intercepting SMS messages used to log them in.

Experts say the breach was a reminder of the security limits of two-factor authentication via SMS, but also emphasize that it is, of course, still better than having no second factor at all. Upgrading to a hardware token thwarts attacks that rely on an SMS intercept.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts