Felix "tmbinc" DomkeMar 8, 2024

@dwizzzlemsft

Post-Update OOBE on Windows 11 (on 22621.2134 / 22H2; this laptop was in storage for a while) with an MSA generated a flood of Authenticator 2FA requests _without_ showing anything other than "Just a moment..." on screen, especially not showing the 5-digit 2FA request ID.

WTF? Isn't that how some recent 2FA hacks worked? You flood the victim with random 2FA prompts until they accidentally hit "accept"?

MSA now in "You need to verify your identity." state, so seemed legit.

Show threadshuffle2Mar 9, 2024
@felix looks like the twitter username reference isn't working...
Show threadFelix "tmbinc" DomkeMar 9, 2024
@shuffle2 Oh, right. He isn't natively here, right?
Show threadshuffle2Mar 9, 2024
@felix @dwizzzle
Show threaddwizzzleMar 9, 2024
@shuffle2 @felix @dwizzzle it sounds like maybe you had multiple different types of tokens expire which generated the flood when you re-authed. I’m not an expert on the MSA backend but I’ll send this thread to some folks
Show threadFelix "tmbinc" DomkeMar 10, 2024
@shuffle2 @dwizzzle Thanks for looking into it! To be clear - there is no issue with having one (or even multiple) 2FA requests during OOBE, my issue is that there was no indication on screen in OOBE that they were requested - and while there was strong temporal correlation, without being able to associate the request, „anyone“ could have requested it.
Show threaddwizzzle
@felix @shuffle2 @dwizzzle yeah I *think* the number challenge vs just approve is configurable and has come up previously. I’d like to see number bee the default - I believe that’s already the case for Entra/AAD
Mar 10, 2024 at 5:51pmWeb