Hello,
I was trying to figure the way out to submit to Steve directly, but couldn't figure it out on the GRC site.
Anyhow, hope he sees this.
I recently started to get Microsoft Authenticator MFA notifications for my Outlook account on my iOS App on my iphone. After I got two notifications, I thought I better change my password, so I did. After a week, I got a few more in one day...then I started to research a bit. I came across a reddit article that mentioned MS no longer requires you to input a password to send the MFA notice. Reading this, I was surprised but then started to realize that I have seen this also this last half year if not at least in the last few months, but at the time I thought it was cache or cookie memory that caused this....nope, after testing this from a co-workers phone I have never ever used - we went to outlook.com, input my email address. It automatically sent the MFA notification WITHOUT needing the password anymore.
I feel as this is NOT a good move with as much spam that goes out with text/emails and phone calls...now they can spam MFA notifications out to users as long as they have your email now.
I think having to enter the password BEFORE the MFA is sent is less convenient...but stops spam MFA messages going out to a person's phone from a malicious character.
Since then I have now turned off allowing notifications from the MS Auth App on my iphone. I go into the app and refresh when I am logging in now to stop any notifications from false login attempts.
I do feel bad for those users/people who might not understand what is happening here and one day will accidently click the right number that pops up in the MFA notification and let the bad actor into their account without needing their password.
Anyhow, just thought this was an odd decision on Microsoft's part.
To be fair, you do have to select a number out of 3 options on the pop up (and you also have the "deny" option), but that is a 25% chance you accidently pick the right one that will let the malicious person in, instead of ignoring it or selecting deny.
Thank you and maybe this post if not seen by Steve will be seen by others who it might help.
I was trying to figure the way out to submit to Steve directly, but couldn't figure it out on the GRC site.
Anyhow, hope he sees this.
I recently started to get Microsoft Authenticator MFA notifications for my Outlook account on my iOS App on my iphone. After I got two notifications, I thought I better change my password, so I did. After a week, I got a few more in one day...then I started to research a bit. I came across a reddit article that mentioned MS no longer requires you to input a password to send the MFA notice. Reading this, I was surprised but then started to realize that I have seen this also this last half year if not at least in the last few months, but at the time I thought it was cache or cookie memory that caused this....nope, after testing this from a co-workers phone I have never ever used - we went to outlook.com, input my email address. It automatically sent the MFA notification WITHOUT needing the password anymore.
I feel as this is NOT a good move with as much spam that goes out with text/emails and phone calls...now they can spam MFA notifications out to users as long as they have your email now.
I think having to enter the password BEFORE the MFA is sent is less convenient...but stops spam MFA messages going out to a person's phone from a malicious character.
Since then I have now turned off allowing notifications from the MS Auth App on my iphone. I go into the app and refresh when I am logging in now to stop any notifications from false login attempts.
I do feel bad for those users/people who might not understand what is happening here and one day will accidently click the right number that pops up in the MFA notification and let the bad actor into their account without needing their password.
Anyhow, just thought this was an odd decision on Microsoft's part.
To be fair, you do have to select a number out of 3 options on the pop up (and you also have the "deny" option), but that is a 25% chance you accidently pick the right one that will let the malicious person in, instead of ignoring it or selecting deny.
Thank you and maybe this post if not seen by Steve will be seen by others who it might help.
