On 19 November at 04:39 UTC (23:39 EST), Microsoft Office 365 and Azure Active Directory users started reporting that they were unable to access the multi-factor authentication (MFA) system or reset passwords, locking them out of their accounts.
When Microsoft’s cloud authentication is working correctly, users should be able to authenticate their username and password credentials via text message, phone call, app verification code, or push request.
This, it turned out, was no mere hiccup, with problems for users across Europe, Asia-Pacific and the Americas continuing for at least eight hours – a long time for users to be unable to log into such an important business platform.
Microsoft eventually offered an explanation:
Preliminary root cause: A recent update to the MFA service introduced a coding issue that prevented users from being able to sign in or carry out self-service password resets when using MFA for authentication.
Twitter complaints soon rolled in on a scale ranging from annoyed to angry:
@MSFT365Status This is brutal. My team can't work. No one can log in to preform administrative duties.—
HarbinSEC (@harbinsec) November 19, 2018
Others raised the issue of powerless admins:
@MSFT365Status So, as an admin, I'm not able to log on, since I have MFA enabled. Is there a way to work around this?—
Pascal Engels (@draxken) November 19, 2018
Which is to say, admins couldn’t even temporarily turn off MFA for users as they were locked out by the same issue.
In theory, only organisations hosting Azure MFA on their own servers rather than through Microsoft’s infrastructure would have been unaffected by this.
Microsoft publishes advice on gaining emergency access to Azure AD accounts, including when MFA is unavailable.
It’s unclear whether this also applies when Microsoft’s own cloud authentication is not working (the documentation assumes this never happens).
What’s more, even if this is a viable workaround, implementing an emergency account comes with overheads, as the advice makes clear:
An account password for an emergency access account is usually separated into two or three parts, written on separate pieces of paper, and stored in secure, fireproof safes that are in secure, separate locations.
A memorably bad day eventually came to an end by around 21:30 UTC when MFA access returned to normal after Microsoft applied some “hotfix” medicine.
All of this matters because adopting multi-factor authentication is one of the most useful security upgrades you can make (it combats phishing, password reuse and weak passwords), but it’s one that users are already reluctant to make.
So is this a knock for the MFA cause? Maybe, but it shouldn’t be.
While it’s true that losing MFA hosted by a cloud provider as fundamental as Microsoft is bad news, the same could be said when losing access to any service, whether hosted in the cloud or not – the issue is downtime, not the merits of MFA.
MFA remains a good idea. So is having a plan B.