[deathanatos]

Those seem trivially correctable?

Seems to me the MFA app could, with the approve/deny prompt, display the application the request is for.

If you delay the request of the MFA until after the password has been verified, then even a single "unexpected" MFA would be an indicator of the password having been compromised.

… and if it's insecure, well … MS is using that flow.

[theluketaylor]

Simply displaying the application is insufficient; the spamming issue would remain as they would spam the most common app that asks for auth at random intervals. An actual fix would involve displaying a randomly generated sequence in the app and in the notification and training users to check, but there would still be plenty of people who would just say yes without thinking.

MS has that flow as an option and it can be disabled. In my job life I've already heard from regulators who want it off.

The actual fix is to move to webauthn where the user experience is excellent and the security is much stronger than any password flow could ever be no matter what stuff you pile on top.