0

This is the second time I have gotten an authenticator prompt in the past 3 months unprompted.

After the first time, I reset my password on a mobile phone (the mobile phone is patched as far as I know), and logged in only via passkey on my local laptop (I did not enter the password anywhere else as far as I know).

The only data I have from Microsoft's activity page is Session activity: Request denied in app.

I have a lot of failed logins on my activity page, but all the other failed logins are Session activity: Incorrect password entered.

What is triggering this, and what methods should I take to limit exploitation? It seems that currently I'm one misclick away from losing access to my Microsoft account.

I have verified that I do not have passwordless login turned on, and do have two-step verification turned on.

I have just checked, and when using a private browsing session or a different computer (I had an out-of-state friend attempt logging in), Microsoft does not prompt for the password but instead only directly prompts for an Authenticator prompt. Is there a way to disable this?

Improve this question

1 Answer 1

Reset to default
2

I have just checked, and when using a private browsing session, Microsoft does not prompt for the password but instead only directly prompts for an Authenticator prompt

Depending on your browser (and version) opening a page in Private mode still gives the page access to the cookies and local data from that page, created and saved during normal (non-private) mode. I.e. private mode is not a sandbox, it just makes sure all newly created cookies and data are lost when you close the tab.

So I'd first log out of that page manually in normal mode, and then open the same page private mode (or better yet, in another browser profile).

Other than that, I'm not sure what we can do for you. It seems that currently I'm one misclick away from losing access to my Microsoft account. <-- sums it up pretty well for me.

Btw, I would also talk to Microsoft support and tell them about the issue. Someone is obviously brute-forcing your account.

Improve this answer
3
  • Thanks Mike, I'll reach out to support. For now I've added a login-only alias and removed ability to login via other means, but if they're doing token stealing that won't buy much. That said, if it happens again, I know I have resident token-stealing malware somewhere, which I'm not looking forwards to haha. Commented Dec 2, 2024 at 2:07
  • Ok, talked with support, they cannot do anything, they think that the change to my alias may help. Talked with my local hacker club, and they think it's some type of token theft malware. That said, I just did a legitimate login and authenticator at least requires input of the mobile device password prior to approval of the login, so it's unlikely to accidentally happen. Still, this is awesome. :) Commented Dec 2, 2024 at 3:30
  • I poked an out-of-state friend and when he attempted to login it went directly to a prompt. On the positive, it's probably not malware. On the negative how do I shut it off the intended way? Commented Dec 3, 2024 at 3:16

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.