[0cf8612b2e1e]

Why would I want that? If it is not me, I am not going to allow the login. Making it a notification makes it more likely I could fat finger an approval.

I guess you can make the argument that you are then made aware of login attempts, but that feels more like something the host service should control.

[_carbyau_]

> Why would I want that?

Because to get that far they entered your password? Which you might like to change?

You did mention: "You are a two factor app."

If they've got past your first factor, you might want to know.

[hunter2_]

I recently got an unsolicited OTP email from Microsoft, which led me to fear that someone had entered my password, but no: I eventually was able to confirm that the arrival of an OTP does not, in fact, require that someone enter anything beyond my email address. This is rather insane (I should not be having a blood pressure event due to Microsoft) but on the other hand I do understand the passwordless concept which is just a password-reset flow sans password-change. Perhaps a nice middle ground would be if the OTP email explicitly stated that my password was not entered.

[xocnad]

This also happened to me about a week ago and I had the same reaction/discovery process you did. OT but I wonder if there was a recent ramp up in these attacks. It was done against an email I do not regularly use that was attached to my account as an alternate and haveibeenpwned confirmed was in a data breach back in 2020.

[hunter2_]

I had been thinking someone with a similar address made a typo. But now I'm thinking Microsoft already considers this a known incident depending on whether a bazillion attempts were made in a detectable manner. I hope a successful launch at least demands a botnet and random delays/backoff.

[projektfu]

Some providers (looking at you, Intuit) don't seem to understand TWO factor authentication and will allow someone to bypass your password if they can intercept the SMS or email, and treat it as a normal login.

[hunter2_]

I can imagine an evolution like:

1. Introduce passwords

2. Introduce email-based reset flow

3. Introduce 2FA (optional)

4. Someone says "take the password reset flow, trigger it automatically when a user tries to log in and has only given their email, hide the password field during login, and after the email is validated drop the user back to their previous journey instead of having them set a new password"

5. You see #4 as #3 failing, but when #3 was never applied it's not quite that. Aside: making #3 mandatory would be smart.

[projektfu]

It's Intuit's normal login flow. Enter username and it then says enter password or click here and we'll text/e-mail you a code. Ironically, if you use a password it will often text you a 2FA code.

[Tagbert]

Our Okta is setup so that it usually does the two-factor before asking for password.

[dexterdog]

I would, but I don't need to know immediately. Plus you have the other vector of my phone sitting on a table and showing the notification to a person who can see it when they are trying to login as me.

[hunter2_]

I find it to be a poor default that sensitive data is shown on the lock screen. I change that setting as a first order of business whenever I'm setting up a new phone.

[dexterdog]

SMS should not be considered sensitive data since it can be read by entities between you and the source.

[hunter2_]

If someone texts me something that's not interesting to those MITMs but is sensitive to mom catching a glance while my phone is on the table, that's a problem this toggle creates/destroys. Threat models vary.