|
|
|
|
|
|
by semi-extrinsic
484 days ago
|
|
|
1. In my scenario it is your corp admin reusing password across apps. See sibling comment on SSO tax response. 2. Yes, I know how the MS 2FA flow works. But why doesn't it have you enter number on device first, type password second? Seems like it would give users a better way of knowing the login request is legit? |
|
|
If I send the password they need to hash then compare. Only then do they need to generate some form of random number - write to some store - send a notification to the users device - query the store from the users device - likely again hash an compare - send a notification to the endpoint signing in. To do that for millions / billions of users seems like it would be expensive compared to a hash + DB lookup.