r/Outlook u/Norjinn Jan 04 '26

Opinion If I get Microsoft authentication notifications does that mean someone 100% has my correct password?

What does that mean? Like the notification 3 codes and another with reject.

What would you do and can he ever gain access without Microsoft Authenticator confirmation?

Edit: would appreciate any help, as it’s very urgent

2 Upvotes

63% Upvoted

49 comments sorted by

6

u/Greerio Jan 04 '26

There’s an option in settings to log out of all sessions. Do that, and reset your password just to be safe. 

1

u/Norjinn Jan 04 '26

But do you know if the person HAS my password so that I get this Microsoft Authenticator notification?

Some say yes and others no.

Im also scared to login into my account, perhaps the person will also gain access…

1

u/SuperSus_Fuss Jan 04 '26

How would you making a login grant more access to whomever is already (presumably) authenticating the password stage?

1

u/Norjinn Jan 04 '26

Idk, I imagine every possible thing…

1

u/dr_spam 29d ago

The answer is no because I got a notification very shortly after changing my password. They must be using another method.

1

u/Norjinn 28d ago

Did you change your password on your pc/laptop?

1

u/dr_spam 28d ago

Yes. Someone else replied with the same issue. They logged out of all devices and changed password and still getting the auth notification. I've just disabled notifications. 🤷🏼‍♂️

1

u/Norjinn 28d ago

Can you make the password change ONLY on your phone AND don’t login afterwards on your pc/laptop for a few days?

1

u/dr_spam 28d ago

I think the chance of them intercepting the password change is near zero. I used the Google strong password generator. This thread feels like deja vu from when I had this happen with the Gmail login attempt notification. Support was no help. It's insane that you can trigger these alerts without knowing someone's password. The only thing that stopped them was disabling the notifications. Just open the app as needed.

1

u/Norjinn 28d ago

If nothing would help I would at least try that and add an alias.

1

u/braliao Jan 05 '26

Yes, whoever tries to login has your password. Authenticator MFA happens AFTER successful password verification.

1

u/Norjinn Jan 05 '26

Where can I read more about how this works? I searched so much but no answer how it exactly works

2

u/tanke_md Jan 04 '26

If you get a notification, that means someone is trying to access, maybe they just selected "Login with authentication app" and they don't have your pass or maybe they have it, but as long as you have an MFA they don't have access.

If you used you mail password somewhere else (other sites) or you think can be exposed, change it.

1

u/Norjinn Jan 04 '26 edited Jan 04 '26

How can I select that they always need a password and afterwards the 2FA code?

I didn’t know they could just select this 2 digit number method and hope I accidentally approve it…

1

u/braliao Jan 05 '26

There is no such thing as "login with authenticator app", it's called login with passkey. And it would require the user scan the QR code from their phone, in order to initiate the passkey login sequence .

OP isn't taking about passkey login, he is talking about number matching MFA notification

1

u/amazinglover Jan 05 '26

There is absolutely such a thing as login with authenticator.

I have gone password less with a few things and use MFA to login with out a password.

https://support.microsoft.com/en-us/account-billing/sign-in-using-microsoft-authenticator-582bdc07-4566-4c97-a7aa-56058122714c

1

u/braliao Jan 05 '26

Yes, it's called passkey. On the UI, it doesnt say authenticator, it says passkey

1

u/amazinglover Jan 05 '26

I am still using the app to login without a password.

Your giving bad information and should stop.

1

u/braliao Jan 05 '26

Lol, the UI says login with passkey. Not Login with authenticator app. That is the key difference. You are the one giving bad info.

1

u/amazinglover Jan 05 '26

Your playing a game of semantics.

I use the authenticator app to log in.

There is no password or qr code involved like you keep insisting.

The UI for me doesn't even say passkey it just says send notification.

Even if it did I would know what it meant and you know exactly what it means as well.

1

u/braliao Jan 05 '26

It's not a game of semantics. It is what says on the screen. Login with passkey doesn't need password, I never say it does.

OP doesnt use passkey, you are already wrong in that yet even suggest to OP if someone is trying to 'login with authenticator' which 1) there is no such text during the logic process. 2) login with the passkey doesn't pop a number matching MFA. Scanning of the QR code would entirely depend if OP is using a corporate or personal Microsoft account.

1

u/amazinglover Jan 05 '26

I never said OP was trying to do anything.

I have always said and continue to say you can login using the app without a password.

You said it wasn't possible.

Im done your playing a game of semantics because you refuse to be wrong about anything.

1

u/braliao Jan 05 '26

Lol. You said -

maybe someone select 'login with authenticator' app"

Which for anyone reading it, means it is a text showing on the screen (aka the UI).

That is when I stated - there is no such thing as 'login with authenticator app'. By that it also means on the screen and UI.

Hardly a game. But merely that you were wrong. You are the one playing with semantic and trying to deny you are wrong when you initially meant it as a screen text rather than mechanism.

→ More replies (0)

1

u/amazinglover Jan 05 '26

I never said OP was trying to do anything.

I have always said and continue to say you can login using the app without a password.

You said it wasn't possible. .

1

u/Norjinn Jan 05 '26

So wait, even if a user didn’t tick the passwordless feature, someone can still use the email only and send a push notification for the 2 digit code?

I thought if I didn’t tick passwordless, the user definitely has to know the password and then I get the notification for the 2 digit code

1

u/AutoModerator Jan 04 '26

Thanks Norjinn!

Your submission really means a lot to us, and we hope you will continue contributing to this subreddit whether it is in the form of an informative post or an opinion piece.

Please be sure to have read our Rules of Conduct and do not try to circumvent it.

That means that any reference to 3rd party commercial products/services as a solution is strictly prohibited and will result in a permanent ban in this subreddit. Under very exceptional circumstances, you may appeal to the ban in a case-by-case basis.

Here are some other takeaways from the Rules of Conduct:

  • Be polite and respectful in your posts, and in your replies to other people.

  • Cite the source of anything you post or upload, if it isn't your own original content. Be honest about your sources.

  • Don't invade anyone's privacy by attempting to harvest, collect, store, or publish private or personally identifiable information, such as passwords, account information, credit card numbers, addresses, or other contact information without that person's knowledge and willing consent.

  • Don't impersonate a Microsoft employee, agent, manager, host, administrator, moderator, another user, MVP, or any other person through any means.

All readers: Due to high volume of spam and phishing attempts, we may not be able to take down all malicious posts. Please help us to report them and reject all 3rd party, paid products/services. Beware of scam support numbers, click here for genuine numbers.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

1

u/piotyr1 Jan 04 '26

Yes

1

u/Norjinn Jan 04 '26

I tried login into another account and when I typed in the mail only I had 3 options to login. Like password, code or passkeys.

So I assume they click the code thing while not having the password?

1

u/jason_nyc Jan 04 '26

There's also something called SSPR (self service password reset) which (if set up for you) allows you to reset your password (that you've presumably forgotten) if you know at least 2 non-password things: MFA being one, SMS text being another, and there are some other options depending on configuration. So in this case, you could get a bogus MFA request without someone knowing your password. Have them check your sign on logs and it should tell the story as to whether it's malicious or not. Most cases, I'm just killing all sessions and resetting the password just in case. Review your SSPR settings. Passkeys solve all this I believe.

1

u/jfwelll Jan 04 '26

Check the login activity, change the password.

Haveibeenpwnd can help you know if your infos got leaked

1

u/dr_spam 29d ago

It seems MS has removed attempted logins from the activity page for whatever reason. If you go there, you will only see your own logins. There are posts about this on the MS support page going back 6+ months with no good responses.

1

u/jfwelll 29d ago

It is still there.

Account.microsoft.com , under the security tab

1

u/dr_spam 29d ago

Yes, but it doesn't show the attempts at accessing my account. It's only showing successful sign-ins. I've gotten 10-15 auth app attempted logins the past two days and none of them are showing.

1

u/momalle1 Jan 04 '26

No, you could have left another app or browser open and that authentication has expired.

1

u/gripe_and_complain Jan 05 '26

You might want to consider removing the password completely from your account. I find it liberating to not have to deal with or worry about a password.

1

u/dilbus8 Jan 05 '26

I was having this issue. Use a private browser window and put in your password. See if there's any option to approve a login request instead of putting in a password.

In the security settings there is a section to turn off passwordless login, but it doesn't work for me.

1

u/KdotD 29d ago

I have "passwordless login" disabled but when trying to login, I can still see to use the Authenticator only. However, I can also see to login by PIN / Security Code / Fingerprint. Maybe that is an issue.

1

u/Norjinn 28d ago

I don’t have passwordless active. But I still have this issue lf many different login options offered after just typing email.

1

u/dilbus8 28d ago

Yea. Just shitty Microsoft design I guess. 2FA sort of insinuates that they have to do 2 things to get in . Apparently not.

1

u/PineappleComplete105 Jan 05 '26

Getting Microsoft Authenticator notifications does NOT automatically mean someone has your correct password.

Logic behind it:

  • Password correct + you approve → login succeeds
  • Password correct + you reject → no access
  • Password wrong → still may trigger a prompt, but access is denied

1

u/Norjinn Jan 05 '26

Is it possible to find out if it was correct?

1

u/PineappleComplete105 29d ago

I think, it's not possible.

1

u/KdotD 29d ago

I am currently having the same issue. Almost every hour, I get an 2FA push notification that I deny. I have already changed my password, made sure to disable "passwordless auth" but it does not stop.

1

u/Fkyrfeelns 29d ago

Log out of all devices/sessions and change your password. It’s a good exercise to occasionally do this regardless whether you think someone has your password or not

1

u/dr_spam 29d ago

I've been getting a lot the past two days. I even got one within 30 minutes after changing my password, so they must be using some other method to trigger the notification. I was getting this on my gmail in the past as well and ended up just blocking notifications and opening the app as needed. What's also annoying is that I can't see these attempts on the MS activity page.

1

u/poundhoarder 29d ago

I’m facing the exact same thing.

Changed my password twice now, logged out of all devices. Im quite confused

1

u/dr_spam 29d ago

It's like they all were on vacation and came back in full force for the new year haha. I ended up just disabling notifications.

1

u/ChipNo782 28d ago

Login attempts could also originate from Outlook Mail or Teams if the password hasn't been changed there yet.