Login to Microsoft account using a one-time code.

Max,

These issues at the moment are truly a 'numbers game', since the probability is actually quite low of hitting the correct match for any specific account, due to the differing random number generated for each that changes every 30 seconds, though I haven't done a deeper investigation to confirm the actual number of retries allowed for the Microsoft OTP, nor the other details mentioned in that thread, so I'm uncertain that it perfectly matches this situation.

However, since the methods being used are now typically spread across a large number of accounts, bots, etc., it's possible that some tiny percentage might actually match.

What I believe Microsoft is doing is targeting the future passwordless system using the passkeys developed by the FIDO Alliance, which since it requires both Biometric/PIN along with an authenticator app, is likely the reason for the Outlook email-based authenticator I've heard they're testing as well. However, since this app would require being already logged in to the device, it's more likely that it will be the Windows Hello Biometrics which are also FIDO 2 compliant and Windows 11 requires used to resolve this issue.

When I searched for the Microsoft OTP login, I kept getting documents that mentioned 2-Step verification, so if that's actually required, then there simply wouldn't be an issue. However, since I've never actually used the OTP as primary verification, I don't know the flow for these and thus the specific requirements. I did see a document that mentioned email verification could be used for either 2-Step or password change authorization though, so it does appear to be a potential risk.

As one of the articles I read (possibly the first one I referenced) about fatigue attacks indicated, the option for additional OTP characters has the negative of being more difficult to use, so since this would also likely require broad acceptance and possibly changes to the OTP standards, I don't expect that to occur unless significant numbers of successful attacks are detected by multiple organizations. Though that might theoretically be possible, I haven't heard of any such known issues to date.

Since most consumer accounts aren't under these sorts of attacks and instead those that are most commonly appear to have been popular gaming accounts like Minecraft, the most common advice here is to recommend 2-Step authentication with the Microsoft Authenticator if possible as well

I've personally only seen a single person indicate they'd had a Microsoft account with 2-Step authentication compromised, which since that person had multiple accounts each using the others as verification, I suspect that one compromised account led to another, and so on, though confirming that would be difficult.

Since any cross-account verification failure might lead to a cascade, I've personally enabled 2FA capabilities for every account used to verify both the Microsoft and Google accounts, as well as the wireless provider's account to avoid a potential smartphone takeover or cloning using the IMEI or other phone specific information contained in that account.

From what I've seen in threads here about lost accounts, virtually none have 2-Step verification enabled, nor are they using the authenticator. All of them appear to be surprised that Microsoft can do nothing to help once an account has its primary email changed, while it appears common enough to me that you'd think it might receive more discussion in forums that support Minecraft.

It's not actually the probability of the attacker guessing the OTP code that maters, since that's not really what they're hoping for, it's actually the much higher probability that someone being annoyed by these like you will eventually just decide to enter the current number into the screen, known as an MFA fatigue attack. These fatigue attacks have become popular the last few years as more and more people enabled 2-Step (2FA/MFA) authentication options in their various accounts, as the following article discusses.

MFA Fatigue: What It Is and How to Avoid It | Built In

Though it's basically not possible to prevent these entirely, Microsoft has been working to reduce them drastically using the tools available when using the Microsoft Authenticator smartphone app, as described in the next article.

Microsoft Quietly Improved Authenticator Security to Thwart MFA Fatigue Attacks - Thurrott.com

It's not clear from your post whether you're using the Microsoft Authenticator smartphone app for additional security, but I suspect from the MFA fatigue attack that you likely aren't.

The reason I say this is that the OTP code sent via email or even text message to my smartphone, though possible since I have these options available in my Microsoft account, hasn't been used much if at all since I added the Authenticator app option over a year ago.

I assume this is due to the fact that since I always use the Authenticator app when requested, the account login process is designed to request that first and only switch to another option if I request it, which since I'm also using 2-Step verification, means this option likely isn't provided unless I enter another option first like the password or the Windows Hello Face/PIN that's inherently part of my Microsoft Surface Go tablet's built-in authentication and typically logs in automatically, since the device is trusted as well. Only invoking a more critical app like the Microsoft account management will typically force an additional verification via the Authenticator app.

I can't say exactly what scenario is causing your issues, but an online password is never a more secure option no matter the length, since there are simply too many ways this can be leaked or captured nowadays, so regardless if its length or complexity, it's simply not a truly secure method and Microsoft and all of the members of the FIDO2 Alliance know it, which is why they're moving quickly to try and remove their use altogether as soon as possible, though that'll likely take at least several years.

Just as an aside, your evaluation of the probability for guessing the OTP code isn't completely accurate, but since I'm not well versed in this myself, I'll defer to the following thread and the post halfway down the page marked as the Answer, which explains why the constantly changing random number generators that create these codes makes guessing these much more difficult than it seems, and is why everyone is using them. It's also why the attackers are hoping for MFA fatigue instead, as those articles above described.

cryptography - What is the formula to estimate how long it can take to guess an OTP? - Mathematics Stack Exchange

< EDIT > FYI, I just accessed my Microsoft account without an initial authentication request at all, since I'm already logged into my trusted (recorded in the account) device via Windows Hello Face, which is inherently a 2-Step (2FA) authentication due to the device I have and the biometric Face image which I am. Only when I attempted to access the Security selection to reach the Advanced Security options did it prompt to first confirm my account name (email address) and then offered the dialog to use the authenticator to verify the request, with a selection to pick another option as well. When I clicked that, neither the email nor text verification methods were even offered, though Windows Hello Face, Fingerprint or PIN, the Authenticator and even the Password which I still haven't disabled were offered.

I don't know all the possible iterations, but since there are so many other options available to me that are much more secure, I would guess that the authentication process won't offer those additional options until I've somehow exhausted the others, which since I'd typically never be without the smartphone unless it was lost or stolen, means it's not likely Microsoft makes these easily available to potential attackers either.

I wish there was a clear and simple table online I could point to that explained this, but as Microsoft has improved these processes the last few years, the ability for attackers to access and annoy their users who are taking advantage of many of the security tools provided has clearly diminished. That second article discussing the authenticator workaround for MFA fatigue is only one small example of this.

Since Windows 11 now requires at least one biometric device, camera or fingerprint reader, along with TPM stored PIN for backup, it won't be long until the October 2025 EoL for Windows 10 makes this an official a requirement. Once that occurs, other than legacy support for older devices, that'll mean that registered devices with Windows Hello abilities will be the norm, leaving only the additional verification required for security changes to be performed by the authenticator, which since they're trying to embed some of this ability into at least the Outlook app from what I understand, will likely mean that nearly everyone will have these available in at least their Windows devices by default and likely their phones via installing the Outlook for Android/iPhone app I also use for email on my phone.

Rob

As previously written, Microsoft users constantly receive emails with one-time codes for logging in, and in response, we have received information that this cannot be stopped in any way. However, let's look at this from the perspective of hackers and bot users:[snip]

If you're trying to get this suggestion to Microsoft you should use the Feedback hub in Windows 10 or 11.

Don

Thank you for the detailed response, Rob!

In this particular case with Microsoft accounts, attackers cannot rely on "MFA Fatigue" because the one-time code system does not allow a third party to approve login - the notification only transmits a one-time code and whatever I do with it (except for directly giving it to the attacker), these actions do not put the account at additional risk. That is, in this case, they can only count on random guessing.

Regarding my incorrect estimation of probability, you are right. The likelihood of guessing at least once in a million independent attempts is not 100%, based on what I found, it's 63.2%, which still guarantees some amount of success for attackers given the large number of users currently not using the Microsoft Authenticator app. Yes, of course, an individual account cannot be quickly hacked due to the limited number of attempts in a time period, and it would take years to hack a particular account. But I am talking about the probability of hacking a random account who don't using Microsoft Authenticator. After all, in relation to a multitude of accounts, an attacker has no temporal and quantitative limits, using a vast number of bots with dynamic IPs and alternating accounts after each attempt.

At the moment, I am not using Microsoft Authenticator because my account does not contain any particularly valuable data, unlike, for example, Google, with which I use the authenticator app and do not use SMS authentication (which I consider to be the most vulnerable option).

My indignation is limited to the mere fact of providing attackers with the possibility to attack weakly protected accounts, using not the naivety of their users, but an available tool for login. Simply using letters in addition to numbers would deprive attackers of any rationale to try their luck with a sheer number of attempts.

Max