Disabling Microsoft Authenticator’s 1FA Sign-in Flow

I’ve recently noticed an increasing number of malicious sign-in attempts on my Outlook email account. The interesting bit is that I received a prompt on my Microsoft Authenticator, which I denied the request. Traditionally, that would probably mean that the malicious actor has gotten my credentials correctly…

... but when I tested this myself, I was able to replicate a login without using a password on different devices, both trusted and untrusted, on different IP addresses.

You might probably think that I’ve had “passwordless” turned on, but I haven’t. My Authenticator has also been set up as a “verification” mode rather than a “sign-in” mechanism.

Apparently, on my Authenticator, it’s set up as “Passwordless sign-in enabled” by default, which is inconsistent with what I see on the platform. I tried to disable that, but the flow just brought me through loops without a means (I didn’t have the “Disable phone sign-in option").

Why would I want to add an Authenticator, only to step back to 1FA?

As I temporarily unlinked my Authenticator, I checked on the sign-in 2SV flow — great, revealing more about me than I would like.

In any case, I had to unlink the authenticator and add it back without selecting “enable phone sign-in”, following the steps laid out in this thread: https://learn.microsoft.com/en-us/answers/questions/216956/turn-off-passwordless-sign-in-on-microsoft-authent

Keeping it plain and simple.