[snupa]

* Once you create an application, you can set how you want your users to provide their identity. You can ask just for the email, email+digits or just their phone number. However, when you deny a notification from your phone, the user is required to provide the second identifier (email requires additional last 3 digits, phone number also requires email, and email+digits requires the full number in addition) * The system only allows a single login per user, so if you have initiated the request first, somebody else would have to wait for you to finish the request until they can initiate it). There are additional limitations happening in the background that prevents spammy logins to reach the user's phone. * We're still trying to improve our UX, so we might take that in consideration for future releases

[olemartinorg]

* So if i deny the login attempt on my phone, an attacker who knows my phone number can still log in to my account? Email + phone number is not two factors, it's zero (neither is a secret).

* So what if the attacker started a login request a few milliseconds before i did? How can i differentiate between the attackers login attempt and mine?

[philsnow]

> The system only allows a single login per user, so if you have initiated the request first, somebody else would have to wait for you to finish the request until they can initiate it

sounds like an easy DoS vector if the person knows your phone number as well