So, I’ve often wondered why MFA would not require the auth key to be inputted at the same time as the password. While the auth key certainly prohibits access, it also does nothing to prevent dictionary or brute force attacks.
In any case where auths can be tested, you know you got a valid set of credentials when you get prompted for an auth key. First thing I’d be doing as that blackhat is taking those credentials to their email provider’s website.
If an auth key were required with the username and password, the right set of credentials would never be disclosed.
To account for not all accounts using MFA, the MFA field is simply optional. If you have MFA enabled, you’d better be filling it in (which of course would be indicated as such on Eve Login screens). Would also apply for “do not ask from this computer”.