It is almost impossible to set up personal Microsoft accounts that does not allow passwordless login. So what is more likely to have happened is that your account is set up like this and you are just getting MFA requests that are not a second factor, but simply an attempt to get access to your account.
replyI was getting multiple of these a day and found that if you set up the Microsoft Authenticator app from a phone, it will force it to passwordless if you have any type of lock on your phone (facial, fingerprint, pin). The only way around it is to disable all of those while setting up the account in the authenticator app. I don't use my Microsoft account much, so just use a separate e-mail now for verification instead of the authenticator app.
The fact that this is how it works is of course insane, but I'm guessing someone inside of Microsoft is hitting their KPIs for passwordless logins or something...
Thank you! I have a very strong password so I was worried about how this could happen, but your scenario makes sense. Especially since it only seems to be my Microsoft account having this problem.
replyIn some organizations I've worked at, the multi-factor prompt would occur regardless of the password validity (wastes more of the attacker's time). Is that the case with Microsoft? I'm not sure.
reply