So, I’ve often wondered why MFA would not require the auth key to be inputted at the same time as the password. While the auth key certainly prohibits access, it also does nothing to prevent dictionary or brute force attacks.
In any case where auths can be tested, you know you got a valid set of credentials when you get prompted for an auth key. First thing I’d be doing as that blackhat is taking those credentials to their email provider’s website.
If an auth key were required with the username and password, the right set of credentials would never be disclosed.
To account for not all accounts using MFA, the MFA field is simply optional. If you have MFA enabled, you’d better be filling it in (which of course would be indicated as such on Eve Login screens). Would also apply for “do not ask from this computer”.
The auth code comes from your auth app of choice. Assuming you tell it to send you a code either by email or txt, you still need to have access to those other mediums to retrieve the temp code.
A username will provide all the identity information needed for the server to continue.
Arguably if someone is checking that box every time they mean to dictionary attack your account, they’ve just given you the best warning possible that you need to become hypervigilant.