[adastra22]

It's not security theater. He explained above how this is used to defeat a specific phishing attack that they've actually seen in the wild. There are other, different threat vectors (e.g. compromise of the mail server) that it doesn't prevent. But that doesn't make it theater. as it does provide other value.

[dexterdog]

What does it stop? You already did a 2FA at this point. If an attacker has my 2FA he most likely already has my email so the 'value' being provided is at the cost of more complexity for the user. If this adds value then why not also do an SMS as well to be really, really sure that the user is legit? That would add even more value.

And again, I wasn't saying that you can't do all of this nonsense, but users who see it as nonsense should be able to turn it off.

[Jolter]

Again, see the post by MaxGabriel at https://news.ycombinator.com/item?id=42629109 where he explains how this measure actually defeated that particular pihishing/MITM attack.

The attack wasn't that the attacker has my second factor, the attack was that the attacker tricked me into verifying a single login/transaction using my two factors, on their behalf.

They probably judged that the inconvenience of the verification email affects few enough users that it is worth it. Most users don't switch IP addresses very often. And those that do, probably don't all clear their cookies after every session.

Adding SMS in addition to email would be obviously useless, as you point out.

[edaemon]

Why would the attacker having your Mercury TOTP mean they most likely have access to your email?

[dexterdog]

Because my TOTPs are all stored in the same device and in my imaginary scenario they have that.