Office 365, Azure users are locked out after a global multi-factor authentication outage

Good morning! Except if you’re a hosted Microsoft customer who’s locked out of your account right now.

Microsoft’s cloud-based multi-factor authentication services went down across the globe early Monday morning, preventing access to users who are required to sign in using a second layer of authentication to their account, such as a text message, a push notification on their phone, or a hardware key. You hit the password page, and then you’re stuck — no code, no notification, nothing.

“Affected users may be unable to sign in,” said a notice on Office 365’s service health page, confirming the outage.

More than half a day later, the service is still struggling.

At the time of writing, Microsoft said it has deployed a hotfix to get the service up and running again, but will “continue to monitor any updates” for the next couple of hours. “We’ve received reports that users may no longer receive alerts, so we’re analyzing diagnostic logs to understand why,” the company added.

So far, there’s no clear reason for the outage, and the company is still investigating. A spokesperson for Microsoft said that while some users “are now authenticating successfully, we’re working to address the delay some customers continue to experience using multi-factor authentication in some regions.”

It’s not been a great week for Microsoft’s multi-factor authentication. On Friday, TechCrunch reported that Voxox, a SMS gateway provider used by Microsoft and other companies to deliver two-factor codes by text message, exposed millions of text messages, thanks to an exposed server. But sources familiar with Microsoft’s ongoing effort to remediate its multi-factor authentication outage said the two are not linked.

Multi-factor authentication adds a significantly greater layer of protection on an email account than just a password. But, as a crucial mechanism for users to log in, it’s also a single point of failure if the system breaks.

A system so secure that even its users can’t log in. Who knew?