Comment by hunter2_

17 hours ago

I recently got an unsolicited OTP email from Microsoft, which led me to fear that someone had entered my password, but no: I eventually was able to confirm that the arrival of an OTP does not, in fact, require that someone enter anything beyond my email address. This is rather insane (I should not be having a blood pressure event due to Microsoft) but on the other hand I do understand the passwordless concept which is just a password-reset flow sans password-change. Perhaps a nice middle ground would be if the OTP email explicitly stated that my password was not entered.

2 comments

hunter2_

Reply
xocnad  7 hours ago

This also happened to me about a week ago and I had the same reaction/discovery process you did. OT but I wonder if there was a recent ramp up in these attacks. It was done against an email I do not regularly use that was attached to my account as an alternate and haveibeenpwned confirmed was in a data breach back in 2020.

projektfu  5 hours ago

Some providers (looking at you, Intuit) don't seem to understand TWO factor authentication and will allow someone to bypass your password if they can intercept the SMS or email, and treat it as a normal login.