6/ In 2018, Harris learned that the weakness was worse than he'd imagined. A colleague pointed out that multi-factor authentication, which is intended to prevent attacks, was useless in an SAML attack.
When the colleagues brought the new information to the MSRC, “it was a nonstarter,” Harris said.