Let’s say your account is logged into from 1000 miles away, wouldn’t you want that account or device, whether it was you or an attacker, to prove itself?
In most cases, if you’ve logged in on a specific browser/device/account, unless you’ve cleared cookies, it doesn’t constantly ask for MFA. but in my example above, a new IP, new device, or app, it should absolutely go “whoa, wtf is this” and make you verify.
Oh you know your password? Fuck you. We’re sending an email to your second account and to verify that one we will text you.
Let’s say your account is logged into from 1000 miles away, wouldn’t you want that account or device, whether it was you or an attacker, to prove itself?
In most cases, if you’ve logged in on a specific browser/device/account, unless you’ve cleared cookies, it doesn’t constantly ask for MFA. but in my example above, a new IP, new device, or app, it should absolutely go “whoa, wtf is this” and make you verify.