This is called MFA bombing. Just send prompts until the user accidentally accepts one.

Microsoft’s authentication has protection against this, requiring you to manually enter a 2 digit number in your phone, matching what you see on your other device. Very simple, there is no excuse for Google to not have similar.

That quickly becomes tedious when you need to do it multiple times a day - e.g. logging in to different customer environments. Much prefer the one-click approval.

Yeah, it's all a balance though. Personally, I'm fine with sacrificing a couple seconds here and there, maybe a minute a day at most to help the rest of the population not have their life destroyed. I do admit though that if we calculated out all the time across all the people it would probably be a less rosy picture. But even the authentication we have now still takes some time, we could save seconds of each person's life if we just rid it altogether. I think i'd need some statistics on time spent vs catastrophes avoided to make a solid determination. Presumably Google has this data?

Hmm. I remember using a code like this with google, too. Seems like they had something similar in the past.

You used to have to click the correct two-digit number out of 3 options, but now it's just "way this you? (yes/no)"

Google allowing OTP codes to be generated from the cloud is also insane to me. I've known about this feature for a little while, but it never ceases to amaze me how careless Google is with security.