[olliej]

Push/prompt gating security (or most things) is bad - a lesson we keep learning[1] for myriad UI issues.

One thing I would say though is while it's technically bad that this person hit "approve" after being bombarded with notifications, limiting repeated authentication and exponential delay on sign in attempt is one of the most basic security protections that any authentication mechanism or service should implement and failing to do this is a pretty basic and fundamental failure on the part of that service.

[1] It was frustrating to me when I worked on browsers where people kept trying to add extremely privileged functionality to the browser and then claiming there were no security problems because you could prompt the user. But it happens everywhere, I think Raymond Chen had a post many years ago regarding how the windows installer used to prompt people to replace files but would keep asking until people thought they were answering wrong, which then led to non-booting machines.