App based 2FA is better. Either the app generates a time based code that you enter into the site or the site sends a push notification to the app asking you to verify the login attempt.
Passkeys are good too as they replace the password completely and leave the 2FA part to the device.
It’s better than nothing and some people would really struggle to do other types of 2FA.
I find this very odd because Azure DevOps is hardly ever down in our experience.
Microsofts documentation is also increasingly just outright _wrong_:
There used to be a spot on joke about Microsoft documentation taking the piss out of the fact that it was always 100% accurate but at the same time pretty useless. That joke hasn’t been relevant for a while.
It’s so frustrating trying to find out how to do something in one of the admin centres for M365 and you find a Microsoft document with exactly what you need in it only to find out that the UI has changed and the steps don’t work now. Did they move it? Did they remove it? Who knows?
The AI Fix podcast had a piece about how someone let an AI agent do the coding for them but had a disaster because he gave it access to the production database.
Very funny.
https://theaifix.show/61-replit-panics-deletes-1m-project-ai-gets-gold-at-math-olympiad/
You don’t for the one time codes because there is a standard that is supported by many authenticator apps.