[aargh_aargh]

I've seen this delay in action when logging in into an old dormant Google account. After I provided correct password (and some other details I remember vaguely - probably no phone number set and some problem with using the TOTP I set up long ago), it sent an email to the linked primary email and waited for a day to give it a chance to abort before logging me in.

The delay is quite a bother but it's surely better than account takeover. What I mind about the process is probably the lack of transparency - what combination of factors (MFA pieces, location, inactive time, ...) launches which process? I get that transparency might help attackers here but they're the ones to have the persistence to figure out the rules anyway. Smells like security through obscurity to me.

[ian_holt]

I quite like that idea also. And I would not have thought it would be that difficult to implement in most systems these days

Having 1 or 2 backup email accounts and/or an SMS sent to a registered mobile phone number seems to me to be relatively simple to implement

Along with a built-in delay, the inconvenience of having to wait is way better than losing access to critical accounts