[theluketaylor]

Simply displaying the application is insufficient; the spamming issue would remain as they would spam the most common app that asks for auth at random intervals. An actual fix would involve displaying a randomly generated sequence in the app and in the notification and training users to check, but there would still be plenty of people who would just say yes without thinking.

MS has that flow as an option and it can be disabled. In my job life I've already heard from regulators who want it off.

The actual fix is to move to webauthn where the user experience is excellent and the security is much stronger than any password flow could ever be no matter what stuff you pile on top.