Multi-Factor Authentication Issues Emphasize Microsoft's Update Problem

Microsoft’s multi-factor authentication (MFA) service suffered another outage, locking out many customers of Microsoft's Azure Active Directory service, as well as Office 365 customers. Microsoft’s MFA service saw its first outage, which lasted for 14 hours straight, last week.

Microsoft MFA Locks Customers Out

Last week, Office 365 and Azure Active Directory customers were locked out of the services for 14 hours due to an unexplained issue with the MFA service. MFA enables Microsoft Azure Active Directory and Office 365 customers to authenticate using an additional authentication factor other than their passwords. This could include a SMS code, a fingerprint or face scan, as well as another trusted device, such as a smartphone or security key.

At first Microsoft implemented a hotfix to solve the issue for the majority of those having trouble logging into their accounts, but eventually it learned that some customers weren’t even receiving the authentication codes they were supposed to get by SMS or other methods. Later, Microsoft was able to discover that the issue was caused by a recent update meant to improve the connection to caching services.

Microsoft Customers Locked Out a Second Time

Today, Azure Active Directory customers, which includes Office 365 customers, started reporting on Twitter that the MFA service wouldn’t let them log into their accounts again. A little more than two hours after the company was aware of the issue, it published the following statement on the Azure status dashboard:

"Engineers have also determined a Domain Name System (DNS) issue caused sign-in requests to fail, but this issue is mitigated and engineers are restarting the authentication infrastructure."

Has Microsoft Learned Its Lesson?

This recent outage of one of Microsoft’s most important services prompted the company to reevaluate its update-deployment procedures. Microsoft’s Windows 10, which the company had previously dubbed Windows-as-a-Service, has also been plagued by many issues caused by updates throughout its life.

These issues were exacerbated by the company’s release of significant new Windows 10 features every six months, combined with the fact that the company seems to have reduced its Q&A focus for Windows 10. The situation only seems to be getting worse. Security company Avecto released a study earlier this year showing that Windows 10, which is supposed to be Microsoft's most secure operating system, has had a drastic increase in critical vulnerabilities compared to previous Windows versions.

The latest Windows 10 1809 update also caused some significant issues for users, despite the company delaying its release to fix some of these issues. These recent issues seem to point to a deeper problem Microsoft may have right now relevant to how it goes about updating its software and reviewing those updates before deploying them to customers. It remains to be seen if the solutions the company's implements will actually fix it.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.