Transcript
A wafrn woot (post) by @tinker@infosec.exchange saying “Microsoft Authenticator needs me to validate with Authenticator in order to log in with Authenticator to use it to authenticate another app with Authenticator. Here is the app telling me to open itself to validate itself with itself. #infosec #iHateComputers” It has a screenshot showing the microsoft authenticator app.
The commenter above you had lost their phone and was supposed to log in using this same phone.
They only got access to the account again due to chance, i.e. someone else found their phone.
(There likely is some sort of backup mechanism, but apparently it’s sufficiently well hidden.)
Yeah, I read the story, so I’m aware of the plot.
My comment was aimed at removing MFA completely because OP had a problem once. That is a bad idea and I expressed that by making a joke about using a very bad password because I couldn’t remember my actual password which is also a bad idea.
Google (as any other provider) used the phone option for MFA first because that’s what OP had been using multiple times before they lost their phone. OP wasn’t “supposed to log in using the same phone”, Google just offered the default way that had been used before. OP didn’t see the other login options and went on the internet to tell everybody how stupid Google is and proceeded to smugly proclaim they removed MFA entirely due to Google’s stupidity which inadvertantly revealed OP’s less smart decision I made fun of.
The “Try another way” option is literally right below the input field and one of two links displayed at this point (try it out, go to google.com in a private window and enter your password. The other link is “Resend it”.). It’s not hidden at all and OP had more choices than a stranger finding their phone but they never realized it. But again, that’s not my point. My point is that removing MFA because you had trouble logging in without your phone one time is a bad idea which is why I made a joke about that.