[bilekas]

We implemented something that avoids the original articles, 2FA notification.

After your password is approved before 2FA you get an email. So even if someone is somehow using the right 2FA you are aware.

Our thinking was the mosly likely outcome was someone would hit 2FA, not have the code and so close the request without even entering a bad code.

Apart from that though, it is always nice to get recognition for the stuff you put out there. I know I should do it more myself too.

[kevincox]

If you are going to send login notifications anyways this makes sense. Since the user will either want to know about the login or the failed 2FA. However if the user doesn't enable login notifications I think it makes sense to give a short timeout to wait and see if the authentication is successful. If the auth is successful you can skip the alert.

[lupire]

But email can be delayed for hours or days.

[bilekas]

That's pretty rare in our scenario, also it still would apply to the original post ?