This isn't the "new thing to worry about" being emphasized, but:
> You chose to use a “sign in with <service>” login when you had to create an account, and it sent you through a realistic-looking login flow: a real-seeming Google/iCloud page, perhaps with your email already filled in. When you logged in to this site they used your entered password and subsequent “tap yes on your device” 2FA flow to log in to your account on their end (saving the session cookies), and made it look like a successful login on your end.
The security-hygiene rule to prevent this (which, alas, requires consistency and paranoia) is that passwords may only be entered into Google/iCloud/etc. when you directly visit the provider's site.
Once you know your browser is authenticated to the SSO provider, you reload the target page (e.g. the NDA signing platform) and expect that you will never need to enter a password again.
Terr_•28m ago
> You chose to use a “sign in with <service>” login when you had to create an account, and it sent you through a realistic-looking login flow: a real-seeming Google/iCloud page, perhaps with your email already filled in. When you logged in to this site they used your entered password and subsequent “tap yes on your device” 2FA flow to log in to your account on their end (saving the session cookies), and made it look like a successful login on your end.
The security-hygiene rule to prevent this (which, alas, requires consistency and paranoia) is that passwords may only be entered into Google/iCloud/etc. when you directly visit the provider's site.
Once you know your browser is authenticated to the SSO provider, you reload the target page (e.g. the NDA signing platform) and expect that you will never need to enter a password again.