What to Do With an Unexpected Two-factor Code

If you didn’t expect it, it could signal a problem.

Getting an unexpected authorization code on your phone or via email can be concerning. Let's see when it's a sign of a problem and what to do about it.

A photorealistic image of a modern smartphone displaying a notification for an unexpected two-factor authentication request. — (Image: DALL-E 3)

Question: Earlier today I suddenly received a TFA request from Microsoft on my mobile phone. It was one where one has to select one of three numbers. It purported that someone from South Africa wanted to log in to my Microsoft account. The fourth option on the request was ‘Weigeren’ (Refuse) in red. I clicked that one. I have not noticed anything untoward since. But now I am not so sure I did the right thing. Should I have ignored the request because it is time-limited anyway, instead of clicking the red button?

“Refuse” was the right thing to do.

We get different sorts of authorization notifications on our devices. If you get an unexpected notification (i.e. if you aren’t trying to sign in to a service or account), it may indicate your password has been compromised — or it may just be a sign of the system protecting you.

Let’s cut through the confusion if we can.

Become a Patron of Ask Leo! and go ad-free!

Dealing with unexpected codes

Refusing unexpected two-factor authentication (TFA) requests is the right thing to do. This may indicate that your password has been compromised, but not necessarily. If you’re not sure, changing your password is always a safe thing to do.

True two-factor authentication

Two-factor authentication typically works like this when you sign in to a site or service.

You enter your username.
You enter your password.
The system sends you a code (or link) via text or email.1
You enter the code you were sent.
You’re in!

Important: Note that you had to enter your password first, and it had to be correct. This implies that if you unexpectedly get a true two-factor code via SMS or email, someone who is not you passed step 2: they know your password. Change it immediately.

However: most systems work that way, but not all. For example, I’ve run across at least one service where the sequence is as follows.

You enter your username.
The system sends you a code (or link) via text or email.
You enter the code you were sent.
You enter your password.
You’re in!

In this sequence, the two-factor code was sent prior to the password being checked. In this case, getting an unexpected two-factor code essentially means nothing.

Therefore, to know whether you have a security issue or not, you must know how that particular service behaves: do they send the two-factor code before or after you enter your password? (When in doubt, assume the worst and change your password.)

Not two-factor authentication

Some systems follow the following sequence.

You enter your username.
The system sends you a code (or link) via text or email.
You enter the code you were sent.
You’re in!

Note that there’s no password involved. Only single-factor authorization was used: your ability to provide the code that was sent to you.

This is not two-factor authentication. Since no password was involved, no password was compromised. You can safely ignore the unexpected code you received.

Why ANY Two-Factor Is Better than No Two-Factor

Headlines are proclaiming that two-factor authentication has been hacked. That in no way means you shouldn't use it. Your account is still much safer with two-factor enabled.

Might be two-factor authentication

The original question sounds like you’re using some kind of already-signed-in app on your phone. That sequence looks like this.

You enter your username.
You enter your password.
The system communicates with the companion app on your phone. (For example, any signed-in Google app for a Google sign-in, or the Microsoft Authenticator app for a Microsoft sign-in, or similar.)
The app either:
- Asks you to confirm yes or no to some form of “Is this you trying to sign in somewhere else?”
- Asks you to select some piece of information — usually one of three numbers — shown on the screen of the site you’re trying to sign in to.
You confirm or tap the correct code.
You’re in!

Here’s the deal: step 2 — enter your password — may be optional.

If step 2 is present, then this is true two-factor: you need both your password and your phone to access the account.
If step 2 is not present, then this is essentially single-factor: you need only your phone.

If you get an unexpected request from the app and that service normally requires a password to get to that point, someone else knows your password.

On the other hand, if step two is not present, then no password was involved and you can safely ignore the unexpected notification.

Confusing as heck, right?

Our passwordless future

I suspect things will get more confusing before they get better.

For example, I changed my Microsoft account to be completely passwordless but with two-factor authentication enabled. The first time I sign into a new device, it should require two forms of authentication. After that, though, when I sign in again, I need only confirm on my mobile device that it’s me.

Depending on how other systems implement passwordless options, the scenarios may be similar or completely different. Time will tell.

It’s always safe to change your password

If it’s unclear which scenario above applies to your situation, the best option is to change your password. Aside from being signed out on other devices, there’s absolutely no harm in changing your password just in case.

And, of course, make sure it’s long, strong, and used for only one account.

Do this

Don’t ignore unexpected codes. Minimally, it means someone is trying to sign in to your account. Whether or not they know your password may be unclear unless you understand what that specific service requires as part of the sign-in sequence.

When in doubt, change your password.

No doubt here: Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Download (right-click, Save-As) (Duration: 9:15 — 6.4MB)

Subscribe: RSS

Footnotes & References

1: I’m explicitly ignoring app-based and hardware-key-based 2FA authentication methods, as they don’t suffer the issues outlined in this article.

6 comments on “What to Do With an Unexpected Two-factor Code”

Professor Ronny

May 17, 2024 at 8:41 am

You have links to footnotes 2 and 3 but they don’t work and the actual footnotes don’t exist.
- Leo Notenboom
  
  May 18, 2024 at 9:06 am
  
  Thank you. Fixed. The perils of copy and paste and not paying attention.
Jonathan

May 17, 2024 at 9:08 am

Maybe our bank has even truer “True two-factor authentication”

They require
user name ~ password ~ the code we were sent ~ password again

Very interesting to see how different entities use “two-factor”, many as you write, not really two-factor at all.

I will surely be even more aware of what is and what is not true two-factor after reading this article.
David

May 21, 2024 at 10:58 am

I have also seen the instance where the UserID is entered, the password is entered, a 2FA code is sent, the 2FA code is entered (by me) and the response was “either the password or the 2FA code was incorrect” (for me, I entered an extra character in the password). At least this method gives a heads-up that someone is trying to gain access. The perp will never know if the password was correct or not.
Denny

June 3, 2024 at 10:15 pm

I have a couple of sites where I use 2FA that send from the same text number and do not indicate where they are coming from. I usually know because I get them during logon, but yesterday I got one out of the blue. I don’t know which site sent it. I did change the pwd on the 2 sites I know don’t id themselves. I wonder why some tell you where they came from and some do not.
- Mark Jacobs (Team Leo)
  
  June 4, 2024 at 4:32 am
  
  Incompetent program design would do that.