Hi, I just received a text from BT saying I changed my BT ID password but I didn’t do it and nobody else (that I know of) has access to my account. I tried to login and it failed so the text was genuine. I didn’t tap the link in the text just to be safe.
I’ve just changed the password myself and was sent a 2FA code by text message. I haven’t received any other codes before this so how was someone able to change my password without the 2FA code and without me receiving one? Doesn’t that defeat the purpose of 2FA?
I think that if the password etc is changed using a "trusted" device it does not send out a 2FA code.
Apparently BT have also a new authentication platform which is risk based and uses several factors to decide when to make a 2FA prompt. For security reasons BT will not reveal the risk based factors that are used, but if the platform detects the required level of risk then a 2FA prompt will be made.
It may be in your case it was thought not to be necessary.