In today’s threat landscape, cybersecurity vulnerabilities can originate from a variety of places. An exploitable gap in one vendor’s technology can have serious, cascading repercussions across an entire organization, large or small. This reality is one of the reasons that Okta’s Research and Exploitation (REX) team constantly performs security reviews for all of our code bases, as well as for all of the technologies with which we integrate. Recently, during one such assessment, Okta REX Security Engineer Andrew Lee discovered a vulnerability in Microsoft’s Active Directory Federation Services (ADFS). The vulnerability allowed potentially malicious actors to bypass Multi-Factor Authentication (MFA) safeguards, as long as they had full access to another user’s credentials on the same ADFS service. This is similar to taking a room key for a building and turning it into a skeleton key that works on every door in the building. Simply put, if just one employee in.