The flaw in Microsoft's Active Directory Federation Services lets an attacker use the same second factor to bypass multi-factor authentication for any account running on the same service. Microsoft has patched the flaw.
Microsoft Edge now supports the Web Authentication API, allowing users to login to sites without needing a password.
Microsoft will do more than pay researchers bounties for finding and reporting vulnerabilities in Microsoft Account and Azure Active Directory in its Microsoft Identity Bounty Program. The company also wants vulnerabilities in select OpenID standards.
Recently, Microsoft patched a vulnerability that could be used in phishing attacks to direct users to malicious websites. The security update is available in March’s Patch Tuesday, which included two months of updates and 18 security bulletins - 9 of which were rated as critical.
Recently, phishing attacks against Gmail users, a major U.S. financial services provider, and Android app users have revealed unique ways to deliver malware and steal login credentials.