What to Do With an Unexpected Two-factor Code
Vložit
- čas přidán 26. 06. 2024
- ❌ Getting an unexpected authorization code on your phone or via email can be concerning. Let's see when it's a sign of a problem and what to do about it.
❌ Dealing with unexpected codes
Refusing unexpected two-factor authentication (TFA) requests is the right thing to do. This may indicate that your password has been compromised, but not necessarily. If you’re not sure, changing your password is always a safe thing to do.
Updates, related links, and more discussion: askleo.com/170446
🔔 Subscribe to the Ask Leo! CZcams channel for more tech videos & answers: go.askleo.com/ytsub
✅ Watch next ▶ Why ANY Two-Factor Is Better than No Two-Factor ▶ • Why ANY Two-Factor Is ...
Chapters
0:00 Unexpected Two-factor Code
1:10 True two-factor authentication
3:40 Not two-factor authentication
4:50 Might be two-factor authentication
7:00 Our passwordless future
❤️ My best articles: go.askleo.com/best
❤️ My Most Important Article: go.askleo.com/number1
More Ask Leo!
☑️ askleo.com to get your questions answered
☑️ newsletter.askleo.com to subscribe to the Confident Computing newsletter.
☑️ askleo.com/patron to help support Ask Leo!
☑️ askleo.com/all-the-different-... for even more!
#askleo #2factor #authorization - Věda a technologie
✅ Watch next ▶ Why ANY Two-Factor Is Better than No Two-Factor ▶ czcams.com/video/2DNJqjGLHR8/video.html
As I wrote below, 2FA is terrible for me as I work on multiple Ancestry accounts and can't just log in with the user name and password like before. I absolutely hate it. I don't have a cell phone, but they are invading peoples' privacy by requiring the number.
I would add that one should always be cautious not to change their password on any device that they suspect may be compromised. Always go to a known safe device to change a password.
I had Microsoft Authenticator ask me to confirm the same thing last week. I hit deny also. Glad you did a video on this topic.
I'd be more apt to suspect that the TFA was a phishing scam and not click anything. And then change my password.
Great video, kudos! Hope to see one on "two-factor password fatigue" or "authorization/confirmation fatigue", as well. Most people do not know what to do if/when they receive a sequence of confirmation/authorization requests and end up clicking "authorize" just to get rid of the annoying message.
Just thinking: could it be a phishing message looking like a prompt for the 2FA approval, that by clicking on the reject they would download some malware or something?
All very well to say “change your password “ but if you have been compromised your password may well have BEEN changed and you won’t be able to do it. Then you go down the Micro$oft rabbit hole.
Then there’s this “reject” - or similar button - does it actually do what it implies?
Just because I’m paranoid doesn’t mean they are not out to get me.
It shouldnt have been changed if they cant login because the 2FA failed. Youi'll know soon enough anyway when you try.
A couple months ago i had to change my Amazon password after it became clear someone likely knew my password. Its now a crazy long ridunkulous string..
In my University 2 factor setup, I carry a physical fob, where I need to press a button to get a code (no notifications). My phone is too old to be compatible with the app :)
I always change my username instead of password whenever possible. I use random ones. If nobody has your username then they cannot even try to hack you.
Keep in mind that may disconnect your prior data associated with that username; you could then lose your data and be unable to retrieve it. Also some sites and apps don’t allow multiple accts per (real) name; they might take this as a violation of the TOS, and terminate all your accounts with them. Bye, bye, Facebook profile. 😢
Or your username is your email addresss based on the system. Then what?
@@williamsquires3070 I do not create new accounts. I just change the username/login of my existing one. Not every place allows it. I have never had a problem with one that does.
@@InterCity134 If they require the username to be an email address then there is nothing I can do. But some sites let you use whatever username you want.
I do this for my banking sites.
You should not use TOTP that are sent to a phone number as swaps attacks are too easy and common. Rather, do TOTP through via an offline local app.
Unless it's the only option. It's still better than no 2FA at all.
You get to choose among the options offered. Too many sites don't offer an option with an authenticator app.
Thanks, Leo. I have been reluctant to use a "password vault," since one hack would pay off big for the hackers. I will search for your lecture on vaults. "Long and Strong!" 😊
Thanks!
Theres a bank where i live where it asks for your customer ID number (which is always 10 digits, DOB + 4 randomly generated digits)
And it then asks for 3 random characters from the password and 3 random digits from the online/telephone banking PIN (and the password is not even case sensitive, but i suppose the random characters part would make it harder for someone to find out the whole password, but it also makes it difficult to use that site with a password manager)
And after that, if the system doesn't recognise the device, it will then text you a code (its not as simple as having a box to tick to remember the device, you have to use that device frequently for it to trust it, and it may even use the IP address as part of the security checks it does to decide if it needs to make sure its really you)
I have had my Microsoft account hacked. I don't remember if 2FA was on at the time but sure is now. Afterwards, out of curiosity I went to see how many times people tried to access my account and there were attempts from 10-15 countries! I had now idea I had so many worldwide fans.🤣
I refuse to use mobile phones.
It is problematic, because I have lost access to several services because of it. For example, I can no longer access my internet provider account, or use pay pal.
Hi Leo, thanks for the tips. I have a question. Is connecting your phone to your cars head unit private, like CarPlay etc. How should you delete your data when you sell your vehicle and what happens if your vehicle is stolen with your data. Mine hasn’t been stolen but what if?🇨🇦 Thanks
Microsoft is one of the chief idiots in these problems. They send you this useless “We received your request for a single-use code to use with your Microsoft account.” Message with no indication about WHY this code was sent.
So we don’t know :
what service? (Is this account recovery or password recovery or account and password from a new device?)
What info was entered already ( was the password checked?)
If the senders of these codes could at least provide some context to the code request then we the users could do a better job at addressing some of the issues.
But as Microsoft got slapped in the face about their poor security practices by a recent audit, I’m not sure we’ll see much movement on their part.
Fwiw I do NOT want to change my password just because, as it it’s a password I have to type in in a game controller in a console , I don’t have the will to live to keep creating and entering long passwords there on a weekly or daily basis. If I knew my password was used to get the code to generate THEN I’d change my password.
Easy: Someone probably guessed your password, so change it and move on. In that case, good thing you had that two-factor authentication set up, because otherwise you'd be screwed. As long as you didn't authorize their attempt! In that case you are screwed.
Nope. No password needed. I'm thinking you didn't watch the video?
I am depressed. Soon, we'll all be looking suspiciously at each other, robbing ourselves of the joy of life. Pardon the whine. .
@kersi-sandiego6036 Yes, it does seem there is such a deterioration of so many things coming at us. For me, the trick is to balance hope and trust with vigilance and healthy skepticism. All the best. 😃 (Don D, La Mesa, CA)
The AI stuff is dreadful. It's increased emissions by 30% from Microsoft and they're still going ahead with it like it's going to transform society for the better. And again we've been using AI for years, AI is fine but it's this very specific generative language models that they've decided is now the future of everything.
And something else you reminded me of, if I enter my username and password and then get 2 factor, I put that in, and then I'm told my password was incorrect. I want to throw my computer out into the grass. Having it be the correct sequence of things is important. Or if I do a captcha and then I'm told the password is incorrect. EDIT: But Leo I have so many darn logins that I have to reuse passwords sometimes. I try to use family names and then some personal numbers followed by symbols (like the shift+number row symbols) but there's only so many I can remember and LastPass is pretty awful at not updating with the new password. I think CZcams has 4 entries with the same username and different password in LastPass. I might quit the program because of that. I tried to log into my local movie theater and I had 3 entries in LastPass and then my theater said I have to wait 15 minutes because I used too many wrong passwords.
1)You never NEED to use the same password in multiple places. 2)NEVER use personal information of any kind in a password. Look into passphrases. Use your own offline management, I can't fathom why anyone would EVER trust a cloud service.
@@angelbear_og we're not all geniuses like you
Microsoft offers passwordless accounts. Some services are now starting to offer passkeys
If Microsoft let you use a OTP authenticator of your choice , and gave some indication about what operation was trying to be done that generate the requests , then there is light at the end of the tunnel.
Pointless waffle. If its not you signing into a account and you get this, change your password. Gave up watching 5mins into this 10min rant