Sure. So, let's say you guess my password. Now you get prompted for the second factor, which you don't have.
In fact I have Security Keys, so, now you're trying to break AES, which you can't do.
But let's suppose you're attacking the average person whose second factor is a TOTP authenticator. Unsurprisingly Microsoft only give you a finite rate of tries at TOTP codes. And of course the correct code keeps changing meanwhile, so you can guess forever and never have better than about 1 in a 100 000 chance to guess a valid code each time. How many guesses do you think you get before your client is considered vexatious and can't try any more?
> If the second factor were enough security why even have the password?
Having two factors is better. But obviously neither of them should be a conventional password because passwords are crap.
You can have WebAuthn set to do usernameless authentication, with the two factors both being local. So when you visit a site with this behaviour and it wants authentication, you maybe touch your fingerprint sensor on your phone, that's one factor, having the phone is the other factor, that's two factors, the phone hands over credentials including a large identifier that's equivalent to a user ID for the site, plus its assurance that you are present (based on the fingerprint) and a signature proving it is still the same phone used to sign up for this method. No typing your email address, no passwords, much better security.
> He can just be 1000000 clients each only trying once. And if you block them you also block the user.
Yes, if you rate limit attackers you also rate limit the real user.
But as an attacker, what value am I getting from that? Maybe it's a chargeable service I can sell? It certainly doesn't help me steal gift cards.
$1000 per hour to annoy a friend by preventing them from logging into their email? Not many buyers at that price.
$100 per hour? $10 per hour? $1 per hour? Remember that to fuel this you are throwing away a botnet so that you can hammer on the login until you get blocked, and botnets aren't that cheap to buy.
Yes you can have proper security. But this is about the Microsoft solution where you don’t, where you can first guess the password and then guess the 2fa code. Which is not very smart, considering it’s not that much harder to check both at the same time and fail when either is wrong.
They can switch to display the right one when you enter your email address, they already do this. And of course indeed it doesn’t work with methods like sms and emailing codes, both of which are not secure anyway.
> They can switch to display the right one when you enter your email address, they already do this
So the effect here is this gives bad guys a free targeting feature. Just type in any email addresses and Microsoft will tell you which 2FA is enabled if any.
> And of course indeed it doesn’t work with methods like sms and emailing codes
So, it doesn't help at all for the good case, and it breaks the bad case worse, what was the goal again?
WebAuthn is the good case, which is the case you didn't break since it doesn't care about any of this. And you made the bad cases worse. So good news I guess, "At least Microsoft aren't as bad at this as tinus_hn".
Agreed. Second factor where you tell the attacker they got the password right before asking for the next factor isn't really 2 factor.
Either that, or you force the user to do a password reset if ever they provide the password but cannot provide the 2nd factor in the same login attempt. I think that would upset a lot of users though.
In fact I have Security Keys, so, now you're trying to break AES, which you can't do.
But let's suppose you're attacking the average person whose second factor is a TOTP authenticator. Unsurprisingly Microsoft only give you a finite rate of tries at TOTP codes. And of course the correct code keeps changing meanwhile, so you can guess forever and never have better than about 1 in a 100 000 chance to guess a valid code each time. How many guesses do you think you get before your client is considered vexatious and can't try any more?