While we're on the subject - how do those authenticator apps work on phones?

When I log in to LastPass from my computer I have the option of using their authenticator app that is on my phone, but as near as I can tell it only means I have access to my phone.

I only log into social media on my phone, everything else is done on my desktop computer, and I always use 2FA. I don't see the purpose of an authenticator when 2FA works so well.

Agree what Masraum posted above. Sounds like your cousin had their email hacked into. Likely from a weak password or clicking on a scam link, etc.
You can get some pointers here on checking headers:
https://www.spamtacular.com/2024/05/28/your-quick-guide-to-comcast-email-headers/
https://www.xfinity.com/support/articles/view-email-headers

Those will show where the email was sent from and the routing. You can get some help from local IT shop maybe, and then run a tracer route to show how it was really sent. Depending on the country and IP provider, you could report it as spam/phishing email and they might help shut it down. But if your cousins email and password was compromised, they need to get hold of their provider and work out setting up new password, with authentication, and maybe new mail account.

Haven't talked with the hacked cousin, but my other cousin called her. Our daughter has some pretty impressive computer skills, and we have no worries letting her into our 'puter. Cindy just got off skype with our daughter, who assures us all is okay on our end. Big relief to me, for sure.

If you want to get 'paranoid' or just merely see what your computer is doing with outgoing data:
Wireshark network monitoring is free.

Results not guaranteed. Their website uses google javascript. The biggest monopoly surveillance platform in this country.

Others: (unknown to me website) https://www.techrepublic.com/article/network-monitoring-software/

^ So, it's kind of like car theft? If the prize is valuable enough, and the pros want it badly enough, they're going to succeed?

Muggers will attack for a Rolex, but probably not for a Timex.

Stuff on my computer is a Timex.

If the pool forums aren't broken by now .... yer probably safe Paul!

Patrick .... 2FA is good enough for me ... just a chrome browser and my phone ... both in my hand... in my comfort zone.... no mas.

LOL! Lots of skilled guys on a pool forum...but not too many computer skills. ;)

Authenticator apps work by generating a number based on the time. The number sequence is unique to your application. Their advantage over email or phone authentication is that it only works on the phone you originally installed it on. If someone sim swaps your phone, they still can't get in, because you still have the phone the app was installed on.

But, if someone gets the seed number for an authenticator app, they can get in. See the recent Beyond Trust hack of the Treasury.

We use Beyond Trust at work, but I haven't been to work since Dec 19, so I don't know if we have any fallout from it or not. We use it for vendor access, not our own people.

I haven't had an RSA security fob (PW changes every minute) for 16 years now ... where did the time go ;)?

Plain ol' 2FA on my phone is "gud enuf" for this young coot .... now.

I’ve been trying to set up a new work email account and it’s been an exercise in frustration, using the Authenticator app. I get a six digit code, good for 30 seconds, but have no idea what to do with it.

The usual deal for that sort of 2FA is as follows.

1. Configure a system to require 2FA using a particular authenticator

(If your bank supports google authenticator, then you can use that. If you have a brokerage account with someone else that does NOT support google authenticator, then you can't use it for your brokerage account) Most of the time you can enable 2FA, and then they have a couple of options on how, the most common is a text message to your cell or an email to your email address and some (not a ton) have one authenticator app or another, but those aren't IME widely supported.

2. download your 2FA and set it up
3. Login to the system where you enabled 2FA via authenticator via usual username and password.
4. Following #3 above, the website should then ask for your authenticator number. Enter the number.

After messing with it for about 30 minutes today, I somehow got it fixed and was able to set up the new email account.

What I’d like to do now is, add it to the Mail app on my iPhone. As it is right now, I have outlook for one work email and the iPhone Mail app for three other email addresses.

With the Mail app, all of your emails go into one inbox. Easy peasy