Just got a 2FA prompt on my phone, asking me to select one of three numbers to log in.
Seeing how every other 2FA thing like this doesn’t send those prompts unless you have entered the correct password I got quite concerned.
However, it seems that is the first thing you get after correctly entering your email address, tried on a separate computer that I have never used my email on with a VPN to another country, and I instantly got the 2FA prompt without entering my password.
Imo it’s a very shit way to do it. I can see some pensioner or similar accidentally just clicking a number and then it’s 1 in 3 they get in (assuming they have 2FA to begin with, but still.).
Anyway, figured I’d post it just in case someone else got spooked the same way. I’d also like to know if someone thinks it is a good idea having it work this way and why?
Microsoft and Okta (that I know of) have implemented this number matching to deal with Push MFA fatigue, but also when certain risk factors make your login look riskier (i.e. impossible travel from an IP located so far away from your last login IP, you couldn’t have physically travelled to the new location in the time since the last login).
More info: https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/advanced-microsoft-authenticator-security-features-are-now/ba-p/2365673
edited to share a better link