Comment by brendoelfrendo
3 days ago
Right, the numeric code is proof of intent. In theory, tapping "ok" or "yes, this is me" should be proof of intent. In reality, it's common for those who have compromised someone's password to flood people with these notifications and auth prompts to get them to eventually say "ok," even if by accident.
> it's common for those who have compromised someone's password to flood people with these notifications and auth prompts
And by excessive reauthing, legit platforms and apps are helping scammers by conditioning users to click "OK" or enter a passcode reflexively just to get on with their lives. Frequent reauth makes everyone less secure.
I don't disagree, and I appreciate your keeping the conversation on-topic, but that's very much an incomplete picture. I think our modern app ecosystem as a whole conditions users to click "OK" reflexively. A hypothetical app wants permissions for your camera, location, and file storage. If you click OK, you can use the app. If you don't, some functions may not work. I think the average user gets caught in the desire to use an app for its intended purpose and the need to tinker with settings - which they may or may not understand - if they want to use that app securely. So, they just say OK to everything.
Of course, that's not the only situation with these push notifications. MFA fatigue attacks are a real thing, hammering the user with as many notifications as they can in a short time. Maybe the user assumes it's a bug, maybe they try to deny the push notification but eventually hit the wrong button, maybe they just want it to stop; it's not so much about exploiting user conditioning as it is assuming that if you force people into an unfamiliar situations, that some of them will eventually slip up.
Duo Mobile at least make it two clicks (on Android at least). So a distracted user would likely to swipe off the notification, instead of tapping through and clicking "Yes, it is me" on the next screen.