I suppose, but if I already entered the code from my authenticator app is having me click on an email going to make it more secure? If they have my authenticator app then they've already totally owned me anyway.
Sending an email as a notification would serve the same purpose.
> is having me click on an email going to make it more secure?
We implemented this at Mercury recently to stop phishing attacks, and I believe Coinbase implemented it for the same reason [1].
TOTP authenticators are super ineffective at combating phishing. If a user is willing to give their email and password to a phishing site, there's very little standing in the way of them also providing their TOTP code.
WebAuthn solves this by working with the browser to tie authentication to a particular domain, but not everyone has a WebAuthn authenticator yet.
Meanwhile, email verification links are a really simple and effective way to shut down these phishing attacks. The phisher can't click the links, because they don't have access to the user's email. The user can't click the links on behalf of the phisher, because clicking the link only verifies the device that clicks the link.
Oh, I hadn't read that as merely having the e-mail address and password to the site, but having the password to the e-mail account. I get it now. Though, it still irks me that we are now up to 3 factor authentication--password, TOTP, and e-mail--under the premise that the user is too dumb to secure 2 factors, and yet somehow is smart enough to secure the third one.
Sending an email as a notification would serve the same purpose.