@sophieschmieg@infosec.exchange : *if* the second factor consist of 6 digits and regularly changes (TOTP: usually every thirty seconds), then it is typically worse than 1 in a million chance. Because the client clock may be out of sync with the server clock, typically a time window larger than 30 seconds is used to increase fault tolerance. I suggest you read https://www.oasis.security/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass I remembered that attack, but Pouyan (@i@toot.pouyan.net) had already referenced "AuthQuake" in an earlier toot (https://toot.pouyan.net/notice/B6xuBX6lzrGenpC74y) - but you may have missed that. W.r.t. 2FA: if the server, after entering the user-ID and an incorrect password, responds with "wrong userID or password" - before asking for the 2FA code (or a timing difference reveals that the first factor is either wrong or correct), then the attacker's life gets a lot easier. And if 2FA is reduced to 1FA in "device code" phishing attacks, even passkeys and FIDO2 hardware keys will not prevent account takeovers. Also "password reset" mechanisms may have flaws (upto Instagram's AI assistent being easily convinced by fraudsters). @dangoodin@infosec.exchange @cibyr@omg.wtf.sh #TOTP #TimeWindow #RFC6238 #2FA #Weak2FA #MFA #WeakMFA #BruteForce