I am getting many requests per day for authenticator app that I am not making

Question

I am getting many requests per day for authenticator app that I am not making

Jason Horath 25

Someone is accessing or attempting to access my authenticator by way of mass requests. What can i do? Just since last weekend I have gotten at least 12-20 requests per day that i did not request myself.

MH 5 Reputation points

2026-03-25T09:07:18.3866667+00:00

Writing here because this seems to be the only discussion thread where this topic is addressed by actual humans and not the useless AI slop answers. My question is, can I see somewhere the origin of these requests? Like from what website?
Frans 0 Reputation points

2026-04-04T21:23:07.85+00:00

I received dozens of approval requests through my authenticator app. The solution turned out to be super simple: I stopped using my Hotmail login address as the primary and instead set an unused alias e-mail as the primary email address. Since then, I haven’t received a single approval request. More info here: https://www.outlook-tips.net/tips/keeping-hackers-microsoft-accounts/

Answer accepted by question author

3 additional answers

Your answer

MH 5 Reputation points

2026-03-25T09:07:18.3866667+00:00

Writing here because this seems to be the only discussion thread where this topic is addressed by actual humans and not the useless AI slop answers. My question is, can I see somewhere the origin of these requests? Like from what website?
Frans 0 Reputation points

2026-04-04T21:23:07.85+00:00

I received dozens of approval requests through my authenticator app. The solution turned out to be super simple: I stopped using my Hotmail login address as the primary and instead set an unused alias e-mail as the primary email address. Since then, I haven’t received a single approval request. More info here: https://www.outlook-tips.net/tips/keeping-hackers-microsoft-accounts/

Answer 1

If these are a Microsoft Personal account receiving the MFA Fatigue attack requests, then this is something we've been seeing as a growing issue here in the forums, with reports of similar attacks nearly every day from all over the world.

Since Windows 11 typically includes Windows Hello Face (camera), Fingerprint or PIN and an associated Passkey, the only way really left to try and bypass this local, closed authentication security is via an external method such as the authenticator. So, it's no surprise that these authenticator MFA fatigue attacks have grown in number.

With the passwordless authentication option available, it's no longer actually required that a person attempting to recover their account know both username and password to generate such requests to the authenticator, so this is likely someone simply using a bot to continually aggravate an individual into giving up in disgust by allowing the request even if they should know better.

Unfortunately, if that's what these repeated requests actually are, there's only one known method to avoid them at present using a 'Security by Obscurity' option by changing the account's email alias used to login, effectively making the original email account name useless except to continue to receive and send email to others. It's by obscurity, because you only use the new alias to login and otherwise keep it secret, never using it for email so it doesn't 'leak' and begin to receive its own set of fatigue attacks.

The basic set of steps is to create a new (or if one already exists, use an alternate) email alias, set that new email alias as 'Primary', then in Sign-in preferences, uncheck the original email alias that's currently receiving the MFA Push fatigue attack notifications, so it can no longer be used for login or other account change requests.

Do NOT remove the original email address, since you'll want to keep it for email use with others, while as already mentioned above, you should never use the new alias for that purpose, so it doesn't get 'seen' in public and potentially exposed for the same sort of MFA fatigue abuse.

Here's the official Microsoft document for managing your account alias and on that same page, you'll see the Change sign-in preferences selection near the bottom where those are done.

Add or remove an email alias in Outlook.com - Microsoft Support

Obviously, you must always remember the 'new' alias to login in the future, since you can no longer use the original email address for that purpose (just like the MFA attackers), though if you don't remove it, you might be able to use your phone number in its place if you don't uncheck that. However, if the MFA attacks seem to continue even after changing the original email alias, it's worth unchecking the phone number to confirm that's not what the attackers were actually abusing.

Rob

Answer 2

Charlie Berman 10

I, too, recieve upwards of 20 approval requests per day. Even after disabling "Passwordless Authentication", I'm still able to sign into my account with just my email + approving the sign-in request through Microsoft Authenticator. Having set up 2Factor Authentication and disabling Passwordless Authentication should REQUIRE the password and THEN send an approval request - unfortunately whoever is managing this service at Microsoft has not made it work this way. This is a huge issue that potentially affects literal millions of accounts. MFA Fatigue is a very serious attack vector.

I would also like to note that the rogue, ignored or denied, authenticator requests DO NOT show up on the Recent Activity page. This is also a huge issue that Microsoft hopefully addresses.

Until Micrsoft can do something to resolve this, I can offer you a working solution that I've found:
Ditch Microsoft Authenticator. Use something like Google Authenticator (get that set up before proceeding). And then...

After logging into your account do the following:

Reset your password with a secure, previously-unused, and unique password.
Remove the Microsoft Authenticator from. your account
Select "Add Another Way To Sign In"
Select "Use An App"
Select "Set Up A Different Authenticator App"
Add your Google (If that's what you chose) authenticator

Another option, that may help if you insist on using the Microsoft Authenticator, is to DISABLE notifications on your device for Microsoft Authenticator, and ONLY enable notifications when you intend to sign in.

Microsoft: Please fix this HUGE security issue.

Rob Koch 25,875 Reputation points Volunteer Moderator

2026-02-04T20:38:28.56+00:00

Charlie Berman,

See my post marked as the answer by the OP above, it provides a relatively simple way to work around this issue without having to drop the Microsoft Authenticator, which is actually itself far more secure than any 3rd-party authenticator using TOTP codes, since it's easy to trick you into giving up those codes via phishing. Just ask the many gamers who've had that happen.

The reason Microsoft can't require the password before the push notifications are sent is because there are passwordless accounts using primarily authenticator, so of course this requirement is impossible. Though re-enabling your password seems to be a solution, if Microsoft were to do as you prefer, anyone not knowing their password would end up losing access to their account entirely, simply because they don't have that one single piece of information, so the solution obviously doesn't work.

And the account activity log only logs successful logins, which these obviously aren't, but the issue itself was actually created by a combination of these items that apparently no one at Microsoft saw coming, which at this point seems just as obviously a failure to identify a logical trap.

Personally, I'd recommend that most with this problem switch to Windows Hello Face, Fingerprint or PIN on their devices if at all possible and drop the Microsoft or any other authenticator entirely, using passkeys in their place for 3rd-party websites, which nearly all of the handful of sites I've got TOTP codes for in authenticator already support as well.

Microsoft has made it clear they're moving to passkeys and Windows Hello for years now, so authenticator was a workaround that businesses may still need, but the Azure management of this issue is inherently tighter, while for Microsoft Personal account users, the authenticator is virtually always too difficult for many individuals to properly support anyway.

As Windows 11, which requires at least Windows Hello PIN and passkey support inherently become the most common devices, this issue will disappear with it, so your solution is short-sighted and only adds extra work for users that's not required.

Rob

Answer 3

I was having the same issue but I watched a great video on how to prevent this. Basically follow these steps:

Go to your Microsoft Account. https://account.microsoft.com
Click on "Manage how I sign in".
From the list, remove the "Send sign-in notification" option.
Click on "Add another way to sign in to your account".
Select "set up a different Authenticator app".
Scan the QR code with Google Authenticator (or a similar app, but not Microsoft Authenticator)
Type the code for verification and click Next.

And here's the video: https://www.youtube.com/watch?v=DWQs28FgdCY

Answer 4

Marcin Policht 87,815 MVP Volunteer Moderator

What you are experiencing is almost certainly MFA push-bombing (also called MFA fatigue). An attacker already has your correct username and password and is repeatedly triggering login attempts, hoping you’ll eventually approve a request by mistake. This does not usually mean your phone or authenticator app is compromised, but it does mean your credentials are.

The most important step is to immediately change the password on the account associated with those authenticator requests. Use a long, unique password that you have never used anywhere else. If that same password was reused on other sites, change it there as well. Until this is resolved, do not approve any authenticator requests you did not personally initiate, even once. If the app or service offers an option like “this wasn’t me,” use it every time.

Next, review the account’s sign-in or security logs. Look for unfamiliar devices, locations, IP addresses, or successful logins you don’t recognize. If the service allows it, force a sign-out of all active sessions. This ensures anyone who may have gotten in is kicked out.

If the platform allows it, move away from simple push-approval MFA. Push-only MFA is vulnerable to this exact attack. More secure options include time-based one-time codes, number matching for push requests, or ideally a hardware security key. Revoke your current MFA enrollment and re-enroll it after changing your password so that any existing authentication sessions are invalidated.

You should also secure the email account tied to this login, since email is often the real target. Change that password, ensure it has strong MFA enabled, and review its login history as well. Many account takeovers succeed because email security was weaker than the primary account.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Ęrįk Ôbęrçt 5 Reputation points

2026-02-01T19:09:23.1133333+00:00

This post is helpful, but the requests do not specify what platform is being hacked. I receive multiple push requests per day that I deny, but if I knew where they were accessing the request, I could go change the password.
Marcin Policht 87,815 Reputation points MVP Volunteer Moderator

2026-02-01T19:27:17.3566667+00:00

With Microsoft Authenticator, repeated generic push requests typically come from one of three places: a Microsoft Entra ID tenant you’re attached to, a Microsoft account using passwordless sign-in, or a stale or legacy app registration that doesn’t surface its name in the push prompt. The attacker is repeatedly attempting to sign in with your username and password, which triggers the push.

The key limitation is that Microsoft Authenticator cannot show you which tenant or application initiated a generic push. That information exists only in Microsoft Entra ID sign-in logs. From the phone alone, there is no way to identify the source of the request.

The fastest way to stop the pushes without guessing is to temporarily remove Microsoft Authenticator as a sign-in method on your Microsoft account. This immediately prevents any push-based challenges. Before removing it, ensure that this will not lock you out of the target service protected by MFA. After removing it, change your Microsoft account password, review recent sign-in activity, and then re-add Microsoft Authenticator. Make sure number matching is enabled when you re-enroll. Re-enrollment invalidates any prior MFA or passwordless sessions that the attacker may be abusing.

If the pushes continue after re-enrolling your Microsoft account, the source is almost certainly a work or school account backed by Microsoft Entra ID. For each work or school account you still have access to, go to the Security info page and remove then re-add Microsoft Authenticator. Old tenants you no longer actively use are a very common source of persistent push spam. When the authenticator is removed from the offending tenant, the requests stop immediately.

You can also tap into the account inside Microsoft Authenticator and view recent sign-in activity if that link is available. It may show failed attempts and approximate locations, but it typically will not identify the app or tenant that generated the request, which is expected behavior.

If this is a corporate-managed account, your IT or security team should be able to identify the source by reviewing Microsoft Entra ID sign-in logs for repeated MFA challenges. They can also enforce number matching, restrict push frequency, or block abusive sign-in patterns.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Richard Molnar 0 Reputation points

2026-02-01T20:05:50.5+00:00

I have a very similar issue. Daily push notification requests trying to authenticate via Authenticator app : i only see what email (my main email), and country of origin.

Country of origin is always in Germany , i am based in Czechia. I use password manager everywhere, but as a precaution, i have changed my MS password and used "log out everywhere".

I have following enabled in my MS acc : password, code by email, code by SMS, and push-notification. Something is really broken here : it says i have last used the push notification method on x.x.2023. Other login methods also show last used 2021/2023. I use my MS account regularly, so this doesn't make sense.

Another very strange thing : when i check my login activity at account.live.com/Activity, i see no mention of failed attempts from Germany.

Summary : somebody is trying to access "something" via my MS account via authenticator app. There is nothing i can do to get this to stop. I don't see any of these incidents in my MS account. MS account somehow thinks i don't even access my MS account.
Rob Koch 25,875 Reputation points Volunteer Moderator

2026-02-01T21:25:45.0666667+00:00

Richard Molnar,

The Date added is usually when that particular item such as SMS was set up, but the Last used date is typically the last time you made a significant change, such as getting a new phone which requires backing up and restoring the Microsoft Authenticator or possibly changing the phone number or at least performing a verification of the new device.

In my case, the Send sign-in notification Last used date coincides with getting my current phone, while the Date added was likely when I first set up the authenticator back in 2018.

The SMS Date added was back in 2011, but the Last Used date was in 2023, so probably some sort of manual verification I did at that time which was important enough to record, since I really haven't used that method at all since adding the authenticator and getting the Microsoft Surface Go tablet in 2019 that came with Windows Hello Face (camera) and PIN, meaning that using the much less secure SMS Text method was deprioritized and dropped from regular use by the Microsoft account servers.

Rob
Jason Horath 25 Reputation points

2026-02-01T22:19:48.0233333+00:00

I've done all of this as well as changed the email that is primary for the account. All is well for now. Login history shows nothing. So I am hoping it is a rogue application or device requesting access from a related account.
Richard Molnar 0 Reputation points

2026-02-02T15:46:10.2233333+00:00

Thank you Rob for reply, your answer regarding the "Date added"/"Last used" makes sense, but this means the wording on the MS page is extremely confusing. With stuff regarding security, wording should be 100% clear, which this fails.

My issue with rogue Authenticator notifications still persists.
Rob Koch 25,875 Reputation points Volunteer Moderator

2026-02-02T18:27:51.8433333+00:00

Richard,

Did you see my other post which the Jason has accepted as the Answer to his thread, where I explained why these MFA fatigue attacks are likely occurring and also the only way I know of to mitigate them using an added email alias as a workaround?

It's security by obscurity as I mentioned, but it at least typically stops the current attacks and should continue to avoid them in the future as long as you are careful to keep the 'new' alias secret and never use it for email or other purposes which might expose it.

I also wonder whether these current MFA attacks might be related to the recently discovered 149M Logins data leak that appears to have been a combination of multiple sets of data collected via infostealer malware, which though now offline, had been visible long enough for many criminal organizations to gain access.

Data Leak Exposes 149M Logins, Including Gmail, Facebook

My thought here is related to the fact that Gmail, Facebook and Yahoo accounts topped the list, though notably, Microsoft or related products like Outlook aren't even listed in the top 10 in that article.

However, the fact that many had chosen to create and 'sync' their Gmail and possibly other accounts such as Yahoo email with the Microsoft account they originally created, which is a horrible idea in a security sense, likely means that the breach of the Gmail or similar email account led to the eventual loss of both accounts if the passwords hadn't been changed before attacks occurred.

The key technical reasons behind the massive infostealer campaign(s) the last few years were apparently fixed, though they're still likely in operation against gaming sites or apps, since they're popular targets. But I suspect that as I'd noticed in these forums at the time, the often-mentioned fact that a Gmail account was involved in an account theft and synced to a Microsoft Personal account meant that this scenario was very common.

If you were aware of any past incident of an infostealer malware on one of your devices or had any questionable interactions relating to either gaming (especially cheat or mod sites or similar) or your Microsoft or similar key sites in recent months, then those might have been involved in your particular attacks.

Rob
Richard Molnar 0 Reputation points

2026-02-18T19:05:47.23+00:00
Rob, thanks for the reply.

This microsoft Q&A site is broken. I got an email notifying me of your reply, but when i loaded the question, i could not see any of your messages. Now, 2 weeks later, i finally see your messages

The attacks are still comming, but more frequently, up to 5 per day.

"With the passwordless authentication option available" : i have NOT enabled passwordless auth.

AFAIK i have not been pwned. I use password manager for each site. I have already rotated my MS credentials. My email might be part of many leaks, but I never re-use passwords between sites.

I am going to be blunt : "Unfortunately, if that's what these repeated requests actually are, there's only one known method to avoid them at present using a 'Security by Obscurity' option by changing the account's email alias used to login" If this is literally the only option apart from removing Authenticator completely, then Microsoft is completely messing up basic security practices. I don't think i have set up anything incorrectly. I have 2FA enabled. I follow all the best practices. And yet I am literally 1 miss-click away from compromising my whole account ? And the solution is to scout obscure forums and follow sketchy guides ??? I am IT professional and I know few things about IT security. Now imagine I am my grandma. Is MS ok with letting their users get compromised with no easy prevention ? Is this a punishment for following proper (2FA Auth app) practices ??? This is completely unacceptable behavior from a company like Microsoft.
Rob Koch 25,875 Reputation points Volunteer Moderator

2026-02-18T21:40:02.9066667+00:00
Richard,

This Q&A site is under constant attack worldwide, so yes, it occasionally has hiccups or even update bugs that can cause symptoms as you've described, though I'd only seen these over the most recent weekend with long lags and various threads appearing to be improperly linked.

Have you tried adding the email alias and unchecking the original alias as I described in my post the OP marked as the answer above?

Doesn't matter how you have the passwordless option set, since it's simply the fact that this exists which requires Microsoft to provide the various recovery methods using only the Username, hence the 'logical trap' that was created which allows this issue to exist.

Again, doesn't matter, since all the need is your Username to launch these MFA attacks using Microsoft provided authentication options, again, it's a 'logical trap' and not a bug, it's simply an unintended side effect of the various authentication methods that eventually collided in a situation lie this, which apparently no one saw coming. I take most such issues as occurring because there aren't any 'oldies' around in development anymore, who'd have had enough experience to see this trap coming and head it off, but that's just my own guess as someone who did everything from development, technician, administration, to contract support including security services over a 40-year career.

As Microsoft Support has apparently told at least a few who've reached them, the authenticator is operating as expected, and I believe you could theoretically turn off notifications and go to the authenticator manually when you knew you'd need to accept one of these, though I haven't tried this particular workaround myself. I called the added alias workaround 'security by obscurity' due to my own security background and I'd in fact only recently started to offer this option once the numbers of these Personal account MFA attacks began to increase dramatically, since I don't love the idea for reasons I've inferred in several of my posts on the issue. However, I've also begun to flesh out my 2nd paragraph in my answer post above as follows. Microsoft has been recommending Windows Hello Face, Fingerprint or PIN for device authentication for a few years now, which also inherently includes a passkey that's used to perform the Microsoft account authentication. Since new Windows 11 devices must come with this support, which is inherently 2FA even if only the (TPM protected) PIN option is available, this is actually a more suitable method for most consumer users. Though this doesn't directly resolve any 3rd-party TOTP code generators also stored in the authenticator, I suspect you could at least disable the notifications and possibly remove the authenticator option from your Microsoft account entirely, continuing to use the TOTP codes it creates until you've replaced all of those with passkeys. Though you're here specifically relating to the MFA attacks, these forums have begun to see far more loss of account access issues due to typical consumers having enabled the 2FA account selection, installed the authenticator and then either their phone is stolen, damaged or otherwise lost. Many of these people haven't kept their additional verification methods current if they ever entered them. and so, they end up locked out of their account permanently with no viable method to recover. This has clearly shown me that the typical consumer like the grandma you mentioned aren't suitable users of the Microsoft Authenticator, since they have no grasp of the many logical traps that these apps create which require keeping not only verification options, but others like recovery codes and alternate emails fully up to date. What this also made me realize was that the authenticator itself was really created as a workaround until the Windows Hello and passkey systems were in place, which at least for Windows 11 and a few older systems like my own Microsoft Go tablet (2017-8) with Windows 10, is now true for most existing users. For a grandma or other less capable user, I'd get them a new device if required, and though about half of my own TOTP codes don't have a passkey replacement yet, most can at worst return to an option like SMS Text or similar code generation which are typically easier for a consumer to use.
Richard Molnar 0 Reputation points

2026-02-19T11:07:44.9066667+00:00

Hi Rob, thank you again for your reply.

1.) "Have you tried adding the email alias and unchecking the original alias as I described in my post the OP marked as the answer above?" : no. I will do it when microsoft publishes official documentation recommending this approach. I understand you might feel like i am refusing the only cure, but I refuse to support a situation, where to get a properly secured account with a trillion dollar software company, you have to follow sketchy forum guides.

2.) "requires Microsoft to provide the various recovery methods using only the Username, hence the 'logical trap' that was created which allows this issue to exist." - i understand what you are trying to say. But Microsoft UI is simply broken and needs fixing. I just checked my settings : I have 2FA enabled. As far as I know, 2FA means two factor. I tried logging in to my acc on fresh account, fresh IP address and i was able to login using only my email and authenticator - thats one factor login. Thats simply broken a bypassing basic security stuff.

3.) "... because there aren't any 'oldies' around in development anymore, who'd have had enough experience to see this trap coming and head it off..." : I think we see the issue very similarly.

4.) "This has clearly shown me that the typical consumer like the grandma you mentioned aren't suitable users of the Microsoft Authenticator, since they have no grasp of the many logical traps that these apps create which require keeping not only verification options, but others like recovery codes and alternate emails fully up to date" - i fully understand this common issue, since i have been managing some orgs before and this was indeed what was commonly happening.

5.) "most can at worst return to an option like SMS Text or similar code generation" - in current age, SMS can get easily spoofed and has been used as an attack vector in many real world attacks. I dont doubt you know about this, but I am just writing this down in case anybody else finds this conversation to understand the implication of this solution.

6.) just a side note : unfortunately, most (even premium 10 000 USD) Windows devices dont have true biometric login (at least an IR camera or fingerprint). PIN can be simple 4 digit number. If a 4 digit PIN stands as the only barrier between getting my account compromised... "What this also made me realize was that the authenticator itself was really created as a workaround" : in that case they should retire Authenticator ASAP. AFAIK, Authenticator isnt mentioned anywhere as "workaround temp solution", but a proper security factor, so Microsoft needs either to change their communication or rethink their security model.

Thank you again for your answer Rob. I am answering this in hope somebody from MS can see this, since I find this behaviour inexplicable for such large and important company. Current system WILL lead to many people getting compromised and NEEDS fixing.
Rob Koch 25,875 Reputation points Volunteer Moderator

2026-02-19T21:48:27.8033333+00:00
Hi Richard, I'll try to clarify terms of my understanding as a (specifically security) forum's contributor since 2006, with interpretation and discussion of the things Microsoft isn't saying out loud often the focus of my chosen questions and answers.

The only 'official' version of this particular workaround that I've seen is a few past threads in these forums where people with similar notification issues received these same instructions from Microsoft Support. I doubt you'll ever seen anything more official, at least until similar to the deprecation of the authenticator's use for storing passwords, they finally deprecate its use entirely as Windows Hello and passkeys become ubiquitous. The forums are manned by Microsoft employees along with contractors and volunteers like me, but they typically concentrate on Azure and the other business products in which they specialize.

2FA is badly misunderstood, while either authenticator with a code/push response, or Windows Hello with PIN are fully compliant with the Microsoft requirements. That's because it's something you have, a phone with authenticator app installed, combined with something you know, the code or push reply sequence.

The difference with Azure business accounts is that there are often either alternate Global Admins for orgs large enough to have these or at least the option to contact Microsoft Support directly for recovery, since these always paid tenants and products provide a clearer path to identity than is possible with Personal consumer accounts.

Yes, I understand SMS is not preferred and would choose other options if available, but the reality is that at least some major name businesses or financial institutions still default to SMS as a fallback when something like an authenticator code isn't available. While checking a couple of my own TOTP supported accounts, I ran into one major insurance org that provided the ability to use either the TOTP code or select to use SMS instead on the same page, so this inherently offers the out whether the user prefers it be available or not. The typical concern from the org's standpoint is more often easy account recovery vs security, which is why I suggested it as an option.

I'm glad you split these portions off, since I should have in my previous response. Windows Hello PIN and the support behind it via the TPM are another badly misunderstood portion of Windows security, so I'll provide the information that you're missing. First, the PIN is not just 4-digits, it's a code only usable on the local device, with the option to both lengthen and increase the complexity of the PIN itself, which in my own case I immediately switched to 5-digit, increasing the number of potential codes to 100,000. The reason this isn't potentially a risk even at 4-digit, is that virtually no one is aware that the TPM has anti-hammering protection by default, which allows only 32 failed attempts before locking out future tries, though by leaving the device physically on for 10 minutes, it will provide an added try. Mitigating attacks based on knowing the length of a Windows Hello PIN - The Old New Thing

"in that case they should retire Authenticator ASAP. AFAIK, Authenticator isnt mentioned anywhere as "workaround temp solution", but a proper security factor, so Microsoft needs either to change their communication or rethink their security model." : I'll treat this portion separately, since as I often do, I jumped to a conclusion that leaves people's heads spinning. Authenticator is a proper security factor in the correct hands, but as with many such technologies in the past, it has declined with age. It's also largely susceptible to phishing, though less easily than TOTP, which has been proven by many successful attacks against gaming users in recent years. My realization that authenticator was a workaround comes from the understanding that Microsoft and the FIDO Alliance had been working towards the passkey standards for over a decade, so interim authentication tools like authenticator were really always half-steps and thus temporary. That doesn't make them useless but less useful in certain hands than others as we've both agreed. And yet again, the support for certain protections in using the authenticator have been improved most with Azure, since there are IT support people there to configure and manage these more complex options and explain them to users, so it may remain viable there for longer than with Personal accounts. The reality though is that Microsoft typically doesn't telegraph such issues outside the organization itself, if they even discuss them openly there, since security by obscurity does tend to work to some extent, at least until a newer and better option can replace it. That's why I answer questions like yours, since your 'Microsoft isn't being secure or transparent' attitude is actually relatively naive, while nearly 50 years of observing the company as a customer, combined with roughly 10 years during which I had access to internal security development people (Windows Live OneCare, Microsoft Security Essentials) including NDA limited posting in the then existing forums, have given me a relatively unique ability to recognize and understand what they're 'not' actually saying in public.

Share via

I am getting many requests per day for authenticator app that I am not making

3 additional answers

Your answer