|
|
|
|
|
|
by spuz
1373 days ago
|
|
|
OWASP actually includes this suggestion in their guidance for implementing MFA: https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_A... > When a user enters their password, but fails to authenticate using a second factor...: > ... > Notify the user of the failed login attempt, and encourage them to change their password if they don't recognize it. > The notification should include the time, browser and geographic location of the login attempt. > This should be displayed next time they login, and optionally emailed to them as well |
|
|
I don't mind getting an e-mail as another form of 2fa, but that has its own issues.