When on desktop, Google prompts you to re-verify MFA for escalated privs. It prompts for your passkey/security key, and also sends a prompt to your phone.
But the phone prompt apparently has no way to "get the word" that the prompt was answered on the desktop. So the stale prompt just sits there indefinitely, with only "no this isn't me" or "yes this is me" as the options.
I say "stale" because you can pick your phone an hour later and that prompt is still there, full screen - so you can't be sure when it arrived, and there's no indicator of what service is prompting you, geo location or ISP of the prompt, etc. (so it's unwise to his "yes this is me"). But you also don't want to hit "no this isn't me", in case it was your legit login from an hour ago.
#mfa
Royce Williams /
npub1l4…kte68
2024-03-21 17:05:04
Author Public Key
npub1l4uw5jf7geh9gq658wjsga0g4nrez4l28w45yw6n77q238yjgglqykte68Published at
2024-03-21 17:05:04Event JSON
{
"id": "218c2e050b3cc8b9c03e0ebc91c44646e81e3adf61f77f9361d5a57226029cf8",
"pubkey": "fd78ea493e466e5403543ba50475e8acc79157ea3bab423b53f780a89c92423e",
"created_at": 1711040704,
"kind": 1,
"tags": [
[
"t",
"mfa"
],
[
"proxy",
"https://infosec.exchange/users/tychotithonus/statuses/112134763630342124",
"activitypub"
]
],
"content": "When on desktop, Google prompts you to re-verify MFA for escalated privs. It prompts for your passkey/security key, and also sends a prompt to your phone.\n\nBut the phone prompt apparently has no way to \"get the word\" that the prompt was answered on the desktop. So the stale prompt just sits there indefinitely, with only \"no this isn't me\" or \"yes this is me\" as the options. \n\nI say \"stale\" because you can pick your phone an hour later and that prompt is still there, full screen - so you can't be sure when it arrived, and there's no indicator of what service is prompting you, geo location or ISP of the prompt, etc. (so it's unwise to his \"yes this is me\"). But you also don't want to hit \"no this isn't me\", in case it was your legit login from an hour ago.\n\n#mfa",
"sig": "c7efabce8f5ef75d1e55c4f17bf8bffe700ca65ec273649d935d5e3dbac94c53f040ebf8609b0874b72abb243974d25fe86342aa4f0b3f8e76b88503f7ca813d"
}