[joezydeco]

I'm a little confused. Does the code get generated on any attempt to log in, or only those that have the password and MFA is activated? Or when someone attempts password recovery?

Because I'm a bit concerned if Microsoft passwords are leaking.

[laurencei]

When attempting to login to your Microsoft account, instead of typing your password you can do an optional "one time password" generation thing from Microsoft. So instead of typing your password +2FA - they email you a 6 digit "one time password" that you can use instead.

You cant disable this.

So all Microsoft accounts could have a daily 1 in 1 million chance of been overtaken.

Odds are low - but if you then spam this across thousands of attempts per day - they would statisically "get lucky" from time to time...

[firebat45]

One would think Microsoft wouldn't be stupid enough to provide endless amounts of one time codes for a single account. I would guess they provide 5-10 codes before escalating the login.

[joezydeco]

That makes much more sense, thanks. I'm guilty of using this from time to time as well.