Just got a 2FA prompt on my phone, asking me to select one of three numbers to log in.

Seeing how every other 2FA thing like this doesn’t send those prompts unless you have entered the correct password I got quite concerned.

However, it seems that is the first thing you get after correctly entering your email address, tried on a separate computer that I have never used my email on with a VPN to another country, and I instantly got the 2FA prompt without entering my password.

Imo it’s a very shit way to do it. I can see some pensioner or similar accidentally just clicking a number and then it’s 1 in 3 they get in (assuming they have 2FA to begin with, but still.).

Anyway, figured I’d post it just in case someone else got spooked the same way. I’d also like to know if someone thinks it is a good idea having it work this way and why?

  • Yeah2206@infosec.pub
    link
    fedilink
    arrow-up
    4
    ·
    1 year ago

    I believe this is how Microsoft implements verification so that users do not have to remember their passwords. You can probably disable it in Security > Advanced security options > Send sign-in notifications.

    Personally, I find this very convenient, especially when logging into a new device/app/service for the first time. However, I imagine that if someone else is trying to get into my account online, it would be the first thing I disable, switching back to entering my password by default.

    • Endor@lemmy.worldOP
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Yeah thanks, I found that I could disable it by disabling the entire authenticator app (Still 2fa with other email/sms.), but there seems to be no way to have it so you need to enter a password for the prompt to appear though. And regarding convenience see the end of my other comment about steam. It’s doable without sacrificing significant security.