Now, they did exactly one thing right:
They don't ask permission to send the code when you log in. They just send it.
Asking things like "Where would you like us to send the code?" or "Is it alright if we send you the code?" gives an attacker a chance to back out before the notification alerts the account owner to the potential breach.
Your auth systems should make attackers noisy. We like noisy attackers.
A Mastodon instance for info/cyber security-minded people.