So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
Not a good solution but a decent one. Create a work profile on your phone, using Shelter (Fdroid, open source), and put all your work apps on that. Your data and processes are isolated and you can turn off all your work apps with a single tap. It’s like a secondary virtual phone.
Wow thanks friend! Does the 2FA work in this silo?
Just like anywhere else. All it does is sandbox work apps from personal apps so they don’t talk to eachother (not even screenshots!)
This is awesome!
As long as the work profile is on.
Thanks! I just installed it.
Demand hardware tokens for authentication.
Do hardware tokens support Linux nowadays?
Depends on the type of token. The type that would be needed in this case doesn’t need a computer to use, it displays the codes on a small screen.
There are also key generators used for electronic signatures that need to be connected to the PC; those can work on Linux but it depends on whether whoever provisioned them wanted to do that. Lots of companies who issue such tokens only put the Windows stuff on them.
deleted by creator
I work in tech, and have had multiple employees claim they only have “dumb” phones for what I’m pretty sure is this exact reason. And I never blame them, just put the heat on IT to find a solution.
The ms authenticator works in ‘reverse’ in that you type the code on the screen into the phone. I assume this is preferable to corporate as you can’t be social engineered into giving out a 2fa token. It also has a “no this wasn’t me” button to allow you to (I assume) notify IT if you are getting requests that are not you.
I don’t believe that the authenticator app gives them access to anything on your phone? (Happy to learn here) And I think android lets you make some kind of business partition if you feel the need to?
And the authenticator is configurable and they can enforce some device security like not rooted, bootloader locked, storage encryption is on through the Intune work profile. If you work on a bank, you don’t want the 2FA to even live on a device where the user gives root access to random apps that could extract the keys (although at this point come on you can probably afford Yubikeys).
As a user, not a fan, but as an IT department it makes complete sense.
You’re thinking of Intune and the Company Portal app. That’s where the device enforcement comes into play. Authenticator can be installed on any system regardless of its state and their enforcement policies.
If it is just TOTP, you can use any other TOTP app, such as Aegis or FreeOTP+.
And no, Microsoft cannot be trusted on not doing anything bad. The app is full of trackers and has an excessive list of permissions it “requires”.
For comparison, Aegis and FreeOTP+ work without trackers and way less permissions.
Microsoft has a long track record of leaks. Just naming the 2 most prominent:
Can you claim that you don’t have a smartphone? Then they’d either have to provide an alternative authentication method, or provide you with a phone.
I’ve been part of the Microsoft Bad crowd for well over 25 years now, but there are a few things that I will concede that MS has done well. Authenticator is one of them. I haven’t looked much into the privacy aspect of it, though.
If it has Microsoft’s name on it, the privacy implications are horrendous. Guaranteed.
Don’t do that. Just say they will provide you with an authenticator paid for by them.
Not as well as Bitwarden.
≥ and force Microsoft Authenticator on the (private) phones of both employees and volunteers.
Refuse to use the service until they provide you with a work appointed phone. Volunteers admitedly have a more difficult time with that but as someone else said you can indeed do text/call options.
a work appointed phone
With all the tracking that comes with it.
Not much of a privacy risk if it where used for a dedicated purpose and just left off in a drawer otherwise though. My employers pushed the notion of MS authenticator, but left the options to use regular TOTP available, just had to look a bit to find them. Even if they absolutely forced corp software though, a cheap wifi-only setup device is a viable option.
yes? use it solely for work purposes, at work, turn it off when you clock out…
your employer is not your friend.
If they want you to use a specific application they need to provide you with everything that is needed for you to run said application.
You can use Aegis and/or Yubico Authenticator instead, that’s what I do.
They said that the option to use other authenticators were disabled by their company
In my company at least, Aegis works for the first few logins, but it will keep nagging you have to switch to Microsoft’s authenticator and you’re locked out after a while.
My experience with it privately as well, and for Fido2 it says my system/browser is unsupported (Linux/Firefox) when it works on literally every other site.
You’re wasting your life trying to fight battles you don’t even understand.
Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
Thanks for the input?
Is your company mandating Push Authentication or are you entering 6-digit codes?
If it’s the former, MS Authenticator is the only option.
If it’s the latter, you can use any TOTP app you like, e.g. Aegis.
Afaik, Microsoft’s OTP implementation is proprietary and not TOTP.
But also, my understanding is you can select which MFA schemes you can use, and allow SMS, MS MFA, and TOTP.
Source: employer used to allow sms, locked it down, and totp apps can’t parse the MS authenticator QR codes.
It might depend on configuration. In the only case of Microsoft enforced 2FA I know of, it is just TOTP. Microsoft’s web interface nudges (tries to trick) you into using the MS Authenticator app, but that app is not needed. You can use any TOTP capable 2FA app, e.g. Aegis or FreeOTP+, both of which are also available through F-Droid and don’t require internet connection.
Just ask whether they can provide a phone as well.
The whole point of MS Auth is that it tracks your location, so if you get a 2nd phone they still track you but you now carry around 2 phones.
deleted by creator
I put the stupid app on my phone.
Never use your own personal phone for work related stuff.
If they want you to use a phone-based app, ask them to help you install it, then bring in an early-2000s feature phone that boots straight from ROM, no Android or KaiOS under the hood.
As in, force the company to get you a company phone.
Never use your own personal phone for work related stuff.
As someone who does this, my main issue is now I am carrying around two phones. This is a daily annoyance for me.
My next round I think I am going to drop the work phone and use Androids profile options. Setup a work profile on my personal phone and just use that. Then just have work reimburse me for my personal phone/plan.
deleted by creator
Contact a lawyer that specialize in worker rights. If they make you use private property for work they should compensate you
deleted by creator
It doesn’t usually need to go to court if the lawyer can remind them of what laws they’re breaking
deleted by creator
What am I going to do, quit over using an app?
Why quit?
Ask them for help installing the app.
Then bring in an early-2000s flip phone with your SIM already in it, so you can prove that you are using it.
An employer cannot demand that you buy your own work tools unless it is written into the employment contract (auto mechanics, etc.). Provide them with a phone that they themselves cannot install the app on. Any early-2000s feature phone will not have an operating system with app functionality. An older but still smartphone-like BlackBerry running BBOS10 will also work in this regard, especially if you have uninstalled the Amazon App Store.
Even an Android phone whose newest possible version of Android pre-dates the oldest version that this app will install on can also work. For example, any Android phone which cannot be upgraded past Android 7 would be perfect with respect to MS Authenticator, as the current version will only install on Android 8 or newer. If you bring in a phone that has no ability to have Android 8 or later installed, your place of work will either have to exempt you or provide you with a work phone for that app.
You have solutions to keep work apps off of your personal devices, and few employers will have the legal ability to force you to buy a modern phone just for an app of their choosing. Moreover, it is your right to not have to suffer unreasonable employer demands just to have a job. That’s why worker protections exist in places where conservatives haven’t eviscerated those protections.
Act like you are a smartphone-phobe, and let them figure things out.
deleted by creator
You do what you think you need to do, buuuuuut…
I’m in a senior level engineering position.
You are already exceedingly difficult to trivially replace. It’s entry-level devs which are a dime a dozen. Senior level engineering positions are frequently open for many months because candidates in general are difficult to find, much less good candidates.
Colour me biased, but I strongly think you are significantly underselling your own power and influence. Any company worth working for isn’t going to turf a senior engineer over a $40 stipend unless their middle manglement positions are staffed with morons.
Well, it’s your calculus to make, not mine.
deleted by creator
Removed by mod
What do you have against ms authenticator?
Removed by mod
Why so negative? Maybe block posts about this.
In my case they didn’t disable the option to use any authenticator for 2FA.
So I just use another one.
I don’t see why forcing MS Authenticator will be better than any other authenticator.
The person who forces it is for sure not a security expert.
It will be easier to hackers to hack 2FA when they know what the authenticator app is, versus hundreds of different authenticator clients.
It will be easier to hackers to hack 2FA when they know what the authenticator app is, versus hundreds of different authenticator clients.
Security through obscurity is not security.
Additionally, any method that generates a code locally that needs to match the server will not be secure if you can extract the key used locally. Yes you can argue that more users makes a juicier target, but I’d argue that Microsoft has the resources spend reducing the chance of an exploit and the resources to fix it fairly quickly. Much more so than any brand new team.
The default authentication option for the company I work for is that a code is displayed in the screen of the device I’m logging into AND a push notification is sent to the Authenticator app, the app then prompts me to enter the code from authenticating device. To break that you’d need the username, password, a clone of the phone/device used to authenticate (or the original), and the user’s PIN for that device (MS Authenticator requires this to complete the authentication.)
Yes MS Authentication services do sometimes go down, and yea it can impact my ability to work
I am by no means a MS fanatic, but I’d trust them for mission critical authentication over something like Authy.
deleted by creator
How would MS Authenticator make it any better than TOTP?
To break TOTP, the attacker would need to:
a) be able to observe the initial exchange of the TOTP secrets. To do that, the attacker needs access to the victim’s computer (on user level) at that specific time they set up TOTP. TOTP is a TOFU concept and thus not designed to protect against that. However, if the attacker controls the victim’s computer at that time, the victim is screwed anyways even before setting up 2FA.
b) have access to the TOTP app’s secret storage and to the victim’s login credentials (e.g. by phishing). If the attacker can gain that level of access, they would also have access to the Microsoft Authenticator’s secret storage, so there is no benefit of the Microsoft app.
On the other hand, Microsoft Authenticator is a very huge app (>100MB is huge for an authenticator app, Aegis is just 6MB, FreeOTP+ 11MB), i.e. it brings a large attack surface, especially by connecting to the internet.
I don’t think Microsoft Authenticator brings security benefits over a clean and simple TOTP implementation.
deleted by creator
If it is just the location, then it could be spoofed.
If it is something that requires physical presence, then you need both devices to communicate with each other. If it is not done via QR code (like some online banking do), then both devices need to be connected, e.g. via WiFi or Bluetooth. In this case, if an attacker controls one of the devices (that’s the class of attacks 2FA should prevent you from), the attacker probably controls both devices. So what’s the point then?
You can just use FreeOTP
My company has the same policy
