Microsoft’s Office 365 outage is a big backwards step for security

A log-in problem locked millions of Office 365 users out of their accounts. And it could undermine confidence in multi-factor authentication
iStock/iam-Citrus

For more than 15 hours on Monday, people from organisations all over the world, including the UK parliament, were unable to login to their email accounts or anything else hosted on Office 365, Microsoft’s cloud computing service. And, worryingly, panic ensued.

After entering their passwords, nothing happened, regardless of whether users were authenticating via SMS, app or phone call. Some received a code but weren’t able to proceed to the screen to input it, others were able to input it but nothing happened after that.

And in the clamour to access critical information, multi-factor authentication (MFA), a system designed to secure systems such as email and online banking, actually made things worse.

There are more than 120 million Office 365 business users, and with more than 80 per cent of Fortune 500 companies using Microsoft’s cloud services, the impact of the outage was widespread. The problem won’t have affected all users, however, only those with MFA switched on who were not already logged in.

In the UK, parliamentary staff were able to access computers at Westminster, for example, but some were unable to log-in to their email accounts if working remotely. Other companies have MFA enabled even in their own offices, leaving people unable to access emails and documents saved in the cloud.

“People are advised to use thing kind of thing,” says Pete Banham, a cyber resilience expert at Mimecast. “It’s good practice, and a lot of consumer stuff is doing it as well through apps like Google Authenticator. But this caused a lot of people a headache first thing on a Monday morning.”

At one global pharmaceutical company, the IT helpdesk was inundated with calls from Europe to South America. “It was a bit of a nightmare from an IT reputation perspective,” says the firm’s IT operations leader, who asks not to be named. “There were no workarounds for the first 24 hours.”

It took Microsoft an unusually long-time to fix the problem. The company finally released a hotfix at around 17:00 GMT, but in the meantime companies were exposed to potentially unsafe security practices. “The main problem you have is that users have two choices - sit there on their hands and do nothing, or resort to using their own device,” says the pharma company’s IT operations leader. “If people start using Hotmail or Gmail they open themselves up to data leaks.”

Some IT departments were able to work around the problem by switching off MFA for affected users, but this also represents a security risk. According to reports on Twitter, others couldn’t even do that - their admin accounts were also secured by MFA, so no-one could log-in to switch it off. Some couldn’t even log-in to see the status of the server and check if it had started working again.

This isn’t the first time Microsoft’s MFA access has gone down. In September, a lightning strike took out cooling systems at a data centre in Texas caused a similar log-in issue for Office 365 users. Yesterday’s outage was initially blamed on a problem with new code, but Microsoft later said it was due to a server in Europe becoming overloaded with authentication requests.

After applying a fix, and switching the server on and off again, Microsoft finally said the problem was fixed at 21:30 GMT on November 19, but other users were still reporting problems the following morning with both the app and phone call verification system.

Read more: Wait, what? Why aren’t you using two-factor authentication yet?

These outages could also cause longer-term security problems if it turns average users off using MFA, which can sometimes already be seen as a hassle. IT departments could be pressure into turning it off because of incidents like this, which could leave their companies vulnerable. “Selling MFA to users is tough,” says Billington. “[We] expect more pushback going forwards, but it can’t be negotiable really.”

Banham thinks attitudes are changing as people become more aware of privacy issues, and more big data leaks come to light. For companies, it’s about balancing risk with productivity - losing a day of work could cost money, but a massive data breach could cost much more.

So-called backdoor accounts, which are not secured with MFA helped get some users back to work, but these present a security weak point that’s always vulnerable. “Putting all your eggs in one basket is a risky decision,” says Banham, who suggests that firms use multiple different vendors for their software services to avoid situations like this. “You’re making yourself susceptible to a single point of failure.”

This article was originally published by WIRED UK