I've been getting login attempt notifications from the Microsoft Authenticator app, and it's making me pretty paranoid. I always thought you need to enter a password before you're prompted for multi-factor authentication (MFA). But now it seems like if you log into Microsoft with just your email, it can prompt you through the app without asking for a password first. I do have to confirm it with a number shown in the app, but how is this not a step backwards for security? I'm not looking for tech support; I want to discuss whether this passwordless login method really improves cybersecurity or if this just raises new concerns.
4 Answers
I think a lot of users are confused by this. You might still be using MFA if there’s a pin or face recognition involved, but it definitely feels weaker than the old method of using both a password and an app. Everyone needs to keep on top of their MFA settings to see what’s really going on with their accounts.
The thing is, the app itself still needs a pin or biometric unlock to function. So while it seems like you’re skipping the password, you still have the app locked down. It’s just been flipped around in the process.
But isn’t it easier for scammers to trick people? They could call pretending to be tech support and use this system against users.
It seems like they might be pushing for a more user-friendly experience even if it's less secure than traditional MFA. Yes, passwordless setups can work, but they also leave room for things like MFA fatigue attacks, which is a pretty big concern.
Exactly! The idea of skipping the password makes things more convenient, but what if someone accidentally approves a malicious login request?
It’s really more about convenience rather than a huge security upgrade. Yes, needing to approve a number in the app is better than just getting random notifications without action, but MFA is still vulnerable to various attacks. Honestly, using passkeys would be a real step up in security; that’s what everyone should aim for.
I get what you mean. But when you think about how it used to be – username and password first, then MFA – now it feels like it’s just too easy for someone to break in if they only have access to the app.
Yeah, it seems like a headache! I started getting random notifications too. I’d prefer a solid password first and then a prompt.