[toomuchtodo]

The problem is these are settings in an idp, and if you do not have competent or resourced practitioners operating these systems (iam/security engineer), you're going to get punched in the face because you didn't tune the right flag/setting and humans are the weakest link in the system. Number matching and auth throttling would've defeated this attack trivially.

Edit: Strongly encourage upgrading to passkeys as soon as an org can, Entra recently launched GA support a few months ago.

https://learn.microsoft.com/en-us/entra/identity/authenticat...

https://learn.microsoft.com/en-us/entra/identity/authenticat...

(i do security things at a fintech and own the idps, thoughts and opinions my own)

[nine_k]

What are the right flags for using TOTP? I thought it's so standard now, it's basically fool-proof, as long as you set the number of digits and the timeout correctly, and the default 6 digits and 60 seconds are just fine.

Where's the catch?

[toomuchtodo]

If you do push auth, require the user enter a number provided. Throttle auth attempts to something reasonable based on your user population. Lockout auth after X number of bad attempts and require escalation. Provide a way to report unapproved auth attempts received (which should get piped to your incident response and identity compromise playbook(s)). This should stop any brute force attack in its tracks.

For TOTP, I prefer 30 second TTLs for the OTP. A tight window makes it very difficult to phish if you must support a user using TOTP. If someone has challenges with this due to the short window, upgrade them to device bound passkeys.