Comment by _carbyau_
18 hours ago
> I should never be in a situation where there is an unexpected login I need to verify.
Isn't that kind of the point? If someone else is trying to login somewhere with your credentials, your two factor will ping up?
18 hours ago
> I should never be in a situation where there is an unexpected login I need to verify.
Isn't that kind of the point? If someone else is trying to login somewhere with your credentials, your two factor will ping up?
Why would I want that? If it is not me, I am not going to allow the login. Making it a notification makes it more likely I could fat finger an approval.
I guess you can make the argument that you are then made aware of login attempts, but that feels more like something the host service should control.
> Why would I want that?
Because to get that far they entered your password? Which you might like to change?
You did mention: "You are a two factor app."
If they've got past your first factor, you might want to know.
I recently got an unsolicited OTP email from Microsoft, which led me to fear that someone had entered my password, but no: I eventually was able to confirm that the arrival of an OTP does not, in fact, require that someone enter anything beyond my email address. This is rather insane (I should not be having a blood pressure event due to Microsoft) but on the other hand I do understand the passwordless concept which is just a password-reset flow sans password-change. Perhaps a nice middle ground would be if the OTP email explicitly stated that my password was not entered.
2 replies →
Our Okta is setup so that it usually does the two-factor before asking for password.
I would, but I don't need to know immediately. Plus you have the other vector of my phone sitting on a table and showing the notification to a person who can see it when they are trying to login as me.
1 reply →
I saw a new marketing strategy recently: Someone tried to sign into something with my email. I didn't have an account, so they took the excuse to send me an email asking me to create an account.
I saw a new marketing strategy recently: Someone tried to sign into something with my email. I didn't have an account, so they took the excuse to send me an email asking me to create an account.
This has been going on since at least 2006.
Startups will "growth hack" by buying e-mail lists and feeding them into their password recovery tools.
A certain percentage of people will then follow the links and end up creating a new account on a service they had no interest in that now has their confirmed contact information, a new user, and a plausible reason to bombard them with marketing email.
I recently started getting emails from a company warning me that "I only had x days left to verify your account."
The account was supposedly registered for an organization whose name was somewhat similar to mine, so I thought somebody fat-fingered their coworker's email (the initial email was an invitation to create an account and join the org), but it might have very well been the tactic you described.
huh, is that why my google authenticator app pops up randomly? i always figured it was a bug in the app or in android.