[tbrownaw]

> From an ideal user experience point of view, why not just pop up a dialog on your phone, wait 1 second (to prevent accidental taps), show "decline" or "approve" options, and that triggers the authentication to proceed?

Because it's insecure. Because you as a user don't know which login attempt the prompt is for. This is especially bad when combined with applications with persistent connections that occasionally decide they need to re-up their credentials. It allows for attacks where you just spam someone with login requests until they either misclick or just get fed up.

[deathanatos]

Those seem trivially correctable?

Seems to me the MFA app could, with the approve/deny prompt, display the application the request is for.

If you delay the request of the MFA until after the password has been verified, then even a single "unexpected" MFA would be an indicator of the password having been compromised.

… and if it's insecure, well … MS is using that flow.

[theluketaylor]

Simply displaying the application is insufficient; the spamming issue would remain as they would spam the most common app that asks for auth at random intervals. An actual fix would involve displaying a randomly generated sequence in the app and in the notification and training users to check, but there would still be plenty of people who would just say yes without thinking.

MS has that flow as an option and it can be disabled. In my job life I've already heard from regulators who want it off.

The actual fix is to move to webauthn where the user experience is excellent and the security is much stronger than any password flow could ever be no matter what stuff you pile on top.