alt Hacker NewsOn a semi-related note, Microsoft security is genuinely terrible.
For the past week, my Microsoft authenticator has been pinging about sign-ins from random places. Except the login history page is completely empty. Not even my own sign ins show up.
Now, you would be forgiven for thinking it's because my password leaked, but no. The default sign in flow with the app enabled is email + authenticator. No password required. In their eternal wisdom this option is not changeable in the app.
Microsoft really should realize that the only reason the account still exists is because they bought Minecraft and stop complicating my life.
Replies
> The default sign in flow with the app enabled is email + authenticator. No password required
Isn't this only if browser have some cookie from previous session or IP didn't change?
Edit: just tried (new IP + private window firefox), you are right, I can enter email and select app notification.
I've been getting this too, authenticator prompts saying "logged in" and asking for confirmation, but no history whatsoever when I went to security to check.
It freaked me out the first time, I went through all the security settings I could find, but it was if it never happened.
I just ignored it the second time, but it's a bit unsettling, because the default authenticator flow also has the chance of accidentally hitting the right number.
I also had this starting a few months back. I changed the email address (really, just an alias to the same mailbox as before) and the notifications stopped.
It is the same company that want to stop SMS 2fa to force you to use their shitty authenticator app.
Microsoft also has this cool thing where if someone fails to get into your account too many times, your account can get locked and you are asked to reset your password. For a working password.
Even after changing my password, I couldn't login to my email on my phone, so I just gave up. I only use that email for a handful of things anyway.