JonnySchnittger Jun 20, 2023
Who do I know in Microsoft that's involved in identity/auth/2fa? I keep getting random 2fa notifications, the password is strong/unique/long and has been rotated. Feels like there's a bypass somewhere
Show threadx3nc0nJun 20, 2023

@JonnySchnittger howdy. Check your AAD Sign-in logs. Should have a reason for the MFA prompt in the data.

Quick guesses are Sign-in risk due to VPN or anonymous IP service, Conditional Access policy requiring frequent MFA, or high user risk due to known password compromise or slowly escalating risk level from VPN activity and Named Locations data isn't updated.

Show threadJonnySchnittger Jun 20, 2023
@x3nc0n the prompts are coming from all over the world, Asia, Europe, the US etc... it varies what protocol they're using IMAP/automatic sync/direct password/etc. Variety of browser headings etc. It's an old account, so it's in various leaks, but the credentials are fresh and clean
Show threadJonnySchnittger Jun 20, 2023
@x3nc0n my assumption is that the typical auth flow is email > password > 2fa ... But that somewhere in the stack you can do email > 2fa (? > password)
Show threadHalliganJun 20, 2023
@JonnySchnittger @x3nc0n do you have passwordless enabled? If so, they could trigger the number matching pop up with just a username
Show threadJonnySchnittger Jun 20, 2023
@halligan @x3nc0n nope
Show threadHalliganJun 20, 2023
@JonnySchnittger @x3nc0n And to confirm, you are getting the 2fa pop ups in the authenticator app?
Show threadJonnySchnittger Jun 20, 2023
@halligan @x3nc0n yup, full authenticator app in Android, not the new lite version in office
Show threadHalliganJun 20, 2023
@JonnySchnittger @x3nc0n Is this some sort of dev/test/playground AAD? I assume not prod. Asking because I would look at your AAD Audit logs (or a screenshot thereof) but wouldn't want you sharing any prod data. I am a security tech specialist at MS.
Show threadJonnySchnittger Jun 20, 2023
@halligan @x3nc0n it's my personal hotmail/live account, not enterprise/AAD
Show threadHalliganJun 20, 2023
@JonnySchnittger @x3nc0n Ah, not AAD. In the MS account sign in activity, what does it say for "Session Activity" for the failed sign-ins?
Show threadHalliganJun 20, 2023
@JonnySchnittger @x3nc0n
Show threadJonnySchnittger Jun 20, 2023
@halligan @x3nc0n here's a selection... Mostly incorrect password, but I included one of the ones I denied from the app
Show threadHalliganJun 20, 2023
@JonnySchnittger @x3nc0n The only one of those that should have triggered MFA is the last one with "Request denied in app". All the rest look like they failed with bad password. You got prompted for MFA for the ones that show incorrect password?
Show threadJonnySchnittger Jun 20, 2023
@halligan @x3nc0n no, just the once. It's happened a few times the last while. The incorrect passwords are pretty standard, multiple times a day. The 2FA prompts are a recent addition and have continued after a password reset
Show threadx3nc0n

@JonnySchnittger @halligan it should do as you said, mfa is secondary auth so you'd only be prompted if someone got the password correct. If you're getting mfa prompts, someone has the password. I'm trying to think of there's anything else that could cause it... But nothing come to mind right now.

Going passwordless would be ideal, given the issue. But still curious.

Jun 21, 2023 at 2:10amWeb
Show threadJonnySchnittger Jul 3, 2023
@x3nc0n @halligan as a follow up, I just received a 2FA notification that seems paired with an incorrect password attempt