![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 67%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Password changes and removing a passkey do not stop attackers from trying to sign in. They only prevent those attempts from succeeding.
What is happening:
- Someone still knows or is guessing the username for the account and continues to submit sign-in attempts.
- Each time the primary sign-in step succeeds (or gets far enough), Microsoft sends a second-factor request to Authenticator.
- As long as the attacker keeps trying, Authenticator will keep showing “approve/deny” prompts, even if the attempts ultimately fail.
What to do to stop or reduce these prompts and secure the account:
- Never approve any unexpected request
Treat every unrequested prompt as a possible attack. Deny it and do not share any codes. - Review recent sign-in activity
- Go to the My Sign-ins or Recent activity page for the account.
- Look for successful or suspicious sign-ins (unfamiliar locations, devices, or apps).
- If any activity is not recognized, immediately change the password again and then update security info.
- Turn on and harden multifactor authentication
- Ensure multifactor (two-step verification) is enabled on the account.
- Use strong methods such as Microsoft Authenticator, Windows Hello, or a FIDO2/security key.
- This ensures that even if the password is guessed, the attacker cannot complete sign-in.
- Go passwordless if possible
- For work/school accounts, consider going passwordless (for example, using Authenticator, Windows Hello, or a security key instead of a password).
- Passwordless sign-in significantly reduces the value of password-guessing attacks and helps stop repeated code prompts.
- Check for compromise indicators
- If any successful sign-in from an unfamiliar location or device is found, treat the account as compromised:
- Change the password.
- Review and update all security info (phone, email, methods).
- Sign out of all sessions and re-register MFA if needed.
- If any successful sign-in from an unfamiliar location or device is found, treat the account as compromised:
- Ignore unrequested verification codes
- If verification codes are received by SMS or email that were not requested, do not use them.
- These often indicate someone is trying to access the account or mistyped an address. Without the code, they cannot complete sign-in.
The prompts themselves mean attackers are attempting to sign in, not that they are succeeding. By keeping multifactor authentication enabled, monitoring sign-in activity, and optionally going passwordless, the account remains protected and the impact of these attempts is minimized.
References: