How can a Microsoft "unsuccessful sign-in" trigger a 2FA request?
I was certain I'd find a question asking this, but a search didn't return any results.
I have 2FA enabled on my Microsoft account, which requires me to approve all sign-ins using the Microsoft Authenticator app. My understanding is, after you supply the correct userID + password, you're asked to approve the sign-in with the Authenticator app.
Yet twice in a week, I received such a request without trying to log in anywhere. More still, the attempt came outside my location (on both occasions from Netherlands, as I discovered on the Microsoft sign-in logs). Microsoft claims the sign-in was unsuccessful (presumably because I denied access on the Authenticator app), but I suspect that, since I received the 2FA request, my sign-in details (the password, basically) were compromised. So I changed it (though Microsoft says "Don’t worry. This sign-in attempt was unsuccessful, so there is no need to change your password", which in my opinion is really bad advice).
A week later, the same thing happened again, again from Netherlands. My super-long, super-complex password was apparently again compromised, or so it seems.
My questions:
- Am I right to assume the password was compromised on both occasions? Is there any other way a 2FA request could be triggered?
- About a couple of months ago, I started using Thunderbird as an email client, on which I used a Microsoft-generated app password (criminally not complex) to access my Outlook inbox. The way Microsoft log-ins work, would I receive a 2FA prompt if someone tried to log in using an app password that's already in use?
- A bit hypothetical (feel free to ignore it) but realistically speaking (and excluding malware, which I feel I can exclude with a reasonable degree of certainty), how likely is it to brute-force twice in a week a password that is 20 characters long, with upper,lower,numbers,symbols? I mean, if it's possible, are passwords meaningful anymore?
