Comment by reddalo

Comment by reddalo 4 days ago

5 replies

View on Hacker News

I agree with you, but it's the same reason why Microsoft asks you to type a numeric code generated by their Outlook app in order to login. It's to prevent people from dismissing the alert by clicking "OK" without even reading (especially if they're in the middle of something else, e.g. during a scam phone call).

brendoelfrendo 4 days ago

Right, the numeric code is proof of intent. In theory, tapping "ok" or "yes, this is me" should be proof of intent. In reality, it's common for those who have compromised someone's password to flood people with these notifications and auth prompts to get them to eventually say "ok," even if by accident.

Reply View 3 replies
  • mrandish 4 days ago

    > it's common for those who have compromised someone's password to flood people with these notifications and auth prompts

    And by excessive reauthing, legit platforms and apps are helping scammers by conditioning users to click "OK" or enter a passcode reflexively just to get on with their lives. Frequent reauth makes everyone less secure.

    Reply View 1 reply
    • brendoelfrendo 2 days ago

      I don't disagree, and I appreciate your keeping the conversation on-topic, but that's very much an incomplete picture. I think our modern app ecosystem as a whole conditions users to click "OK" reflexively. A hypothetical app wants permissions for your camera, location, and file storage. If you click OK, you can use the app. If you don't, some functions may not work. I think the average user gets caught in the desire to use an app for its intended purpose and the need to tinker with settings - which they may or may not understand - if they want to use that app securely. So, they just say OK to everything.

      Of course, that's not the only situation with these push notifications. MFA fatigue attacks are a real thing, hammering the user with as many notifications as they can in a short time. Maybe the user assumes it's a bug, maybe they try to deny the push notification but eventually hit the wrong button, maybe they just want it to stop; it's not so much about exploiting user conditioning as it is assuming that if you force people into an unfamiliar situations, that some of them will eventually slip up.

      Reply View 0 replies
  • deepsun 4 days ago

    Duo Mobile at least make it two clicks (on Android at least). So a distracted user would likely to swipe off the notification, instead of tapping through and clicking "Yes, it is me" on the next screen.

    Reply View 0 replies
mlinhares 4 days ago

TIL, this now makes a lot of sense, won't be as mad about it anymore.

Reply View 0 replies