Sending OTP before authentication / password verification
One of my old, rarely used computers had still an old password for my pyszne.pl / takeaway.com account stored in my browser's password manager. I tried to log into my account from that computer and saw a page saying that a one-time password was sent to an email address associated with the account that I am trying to use. I needed to provide this OTP before continuing.
I waited about 5 minutes until OTP popped in my mailbox and after providing it I was a bit shocked to see a message that the password that I have provided is incorrect. Verifying this in the browser's password manager confirmed the fact.
What am I missing here? What is the reason (or possible advantage) for sending OTP only after validating user name (email address) as existing and before verifying the password?
In all systems, except this one, I have used so far, this was exactly the opposite. First, try to authenticate user/check provided password and only if it is correct, then send the OTP to their email address.
This is certainly not normal. What it can do is protect the account from brute-force login attempts. An attacker will never know if a password is correct or not since they need the OTP from the email to be able to tell.
However, this approach has its own problems. For instance, every brute force attempt will result in you getting an email. This can flood your account and make it difficult to log in legitimately if someone is testing your account. So the site is depending on your email service to protect your account instead of using account protections themselves. And you hope that they have some protections against email floods.