home.social

#authquake — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #authquake, aggregated by home.social.

  1. I bet Microsoft's tolerance of outdated TOTP responses that gave rise to the #authquake vuln is their need to support hardware OATH tokens. Time drift is a real problem and most have no way of correcting it. Still, you'd think that rather than extending the window of acceptable codes and allowing for brute-force guessing, MS would challenge an outdated prompt for the next one and the one after that and then they could figure out how far behind the token is and correct for the drift themselves. If that's not the reason I'd love to know what it was! oasis.security/resources/blog/