Let’s say your account is logged into from 1000 miles away, wouldn’t you want that account or device, whether it was you or an attacker, to prove itself?
In most cases, if you’ve logged in on a specific browser/device/account, unless you’ve cleared cookies, it doesn’t constantly ask for MFA. but in my example above, a new IP, new device, or app, it should absolutely go “whoa, wtf is this” and make you verify.
Let’s say your account is logged into from 1000 miles away, wouldn’t you want that account or device, whether it was you or an attacker, to prove itself?
In most cases, if you’ve logged in on a specific browser/device/account, unless you’ve cleared cookies, it doesn’t constantly ask for MFA. but in my example above, a new IP, new device, or app, it should absolutely go “whoa, wtf is this” and make you verify.