I recently got an unsolicited OTP email from Microsoft, which led me to fear that someone had entered my password, but no: I eventually was able to confirm that the arrival of an OTP does not, in fact, require that someone enter anything beyond my email address. This is rather insane (I should not be having a blood pressure event due to Microsoft) but on the other hand I do understand the passwordless concept which is just a password-reset flow sans password-change. Perhaps a nice middle ground would be if the OTP email explicitly stated that my password was not entered.
replyI would, but I don't need to know immediately. Plus you have the other vector of my phone sitting on a table and showing the notification to a person who can see it when they are trying to login as me.
replyI find it to be a poor default that sensitive data is shown on the lock screen. I change that setting as a first order of business whenever I'm setting up a new phone.
reply