So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
Not a good solution but a decent one. Create a work profile on your phone, using Shelter (Fdroid, open source), and put all your work apps on that. Your data and processes are isolated and you can turn off all your work apps with a single tap. It’s like a secondary virtual phone.
Wow thanks friend! Does the 2FA work in this silo?
Just like anywhere else. All it does is sandbox work apps from personal apps so they don’t talk to eachother (not even screenshots!)
This is awesome!
As long as the work profile is on.
Thanks! I just installed it.
Demand hardware tokens for authentication.
Do hardware tokens support Linux nowadays?
Depends on the type of token. The type that would be needed in this case doesn’t need a computer to use, it displays the codes on a small screen.
There are also key generators used for electronic signatures that need to be connected to the PC; those can work on Linux but it depends on whether whoever provisioned them wanted to do that. Lots of companies who issue such tokens only put the Windows stuff on them.
You cannot be forced to give your employer access to your property, so just say that you cannot install it on your phone. Make sure you say that it isn’t possible. You don’t have to make it sound voluntary. You can just say “I cannot install this on my phone”. Even if the reason is because you refuse to install it, it doesn’t matter, that’s your call to make with your own property.
Your employer will either need to find another solution that you can use, or they will need to issue you a company phone so that you can use the mobile software they require you to use.
I work in tech, and have had multiple employees claim they only have “dumb” phones for what I’m pretty sure is this exact reason. And I never blame them, just put the heat on IT to find a solution.
The ms authenticator works in ‘reverse’ in that you type the code on the screen into the phone. I assume this is preferable to corporate as you can’t be social engineered into giving out a 2fa token. It also has a “no this wasn’t me” button to allow you to (I assume) notify IT if you are getting requests that are not you.
I don’t believe that the authenticator app gives them access to anything on your phone? (Happy to learn here) And I think android lets you make some kind of business partition if you feel the need to?
And the authenticator is configurable and they can enforce some device security like not rooted, bootloader locked, storage encryption is on through the Intune work profile. If you work on a bank, you don’t want the 2FA to even live on a device where the user gives root access to random apps that could extract the keys (although at this point come on you can probably afford Yubikeys).
As a user, not a fan, but as an IT department it makes complete sense.
You’re thinking of Intune and the Company Portal app. That’s where the device enforcement comes into play. Authenticator can be installed on any system regardless of its state and their enforcement policies.
If it is just TOTP, you can use any other TOTP app, such as Aegis or FreeOTP+.
And no, Microsoft cannot be trusted on not doing anything bad. The app is full of trackers and has an excessive list of permissions it “requires”.
For comparison, Aegis and FreeOTP+ work without trackers and way less permissions.
Microsoft has a long track record of leaks. Just naming the 2 most prominent:
Can you claim that you don’t have a smartphone? Then they’d either have to provide an alternative authentication method, or provide you with a phone.
I’ve been part of the Microsoft Bad crowd for well over 25 years now, but there are a few things that I will concede that MS has done well. Authenticator is one of them. I haven’t looked much into the privacy aspect of it, though.
Don’t do that. Just say they will provide you with an authenticator paid for by them.
If it has Microsoft’s name on it, the privacy implications are horrendous. Guaranteed.
Not as well as Bitwarden.
≥ and force Microsoft Authenticator on the (private) phones of both employees and volunteers.
Refuse to use the service until they provide you with a work appointed phone. Volunteers admitedly have a more difficult time with that but as someone else said you can indeed do text/call options.
a work appointed phone
With all the tracking that comes with it.
Not much of a privacy risk if it where used for a dedicated purpose and just left off in a drawer otherwise though. My employers pushed the notion of MS authenticator, but left the options to use regular TOTP available, just had to look a bit to find them. Even if they absolutely forced corp software though, a cheap wifi-only setup device is a viable option.
yes? use it solely for work purposes, at work, turn it off when you clock out…
your employer is not your friend.
If they want you to use a specific application they need to provide you with everything that is needed for you to run said application.
You can use Aegis and/or Yubico Authenticator instead, that’s what I do.
They said that the option to use other authenticators were disabled by their company
In my company at least, Aegis works for the first few logins, but it will keep nagging you have to switch to Microsoft’s authenticator and you’re locked out after a while.
My experience with it privately as well, and for Fido2 it says my system/browser is unsupported (Linux/Firefox) when it works on literally every other site.
You’re wasting your life trying to fight battles you don’t even understand.
Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
Thanks for the input?
Is your company mandating Push Authentication or are you entering 6-digit codes?
If it’s the former, MS Authenticator is the only option.
If it’s the latter, you can use any TOTP app you like, e.g. Aegis.
Afaik, Microsoft’s OTP implementation is proprietary and not TOTP.
But also, my understanding is you can select which MFA schemes you can use, and allow SMS, MS MFA, and TOTP.
Source: employer used to allow sms, locked it down, and totp apps can’t parse the MS authenticator QR codes.
It might depend on configuration. In the only case of Microsoft enforced 2FA I know of, it is just TOTP. Microsoft’s web interface nudges (tries to trick) you into using the MS Authenticator app, but that app is not needed. You can use any TOTP capable 2FA app, e.g. Aegis or FreeOTP+, both of which are also available through F-Droid and don’t require internet connection.
Just ask whether they can provide a phone as well.
The whole point of MS Auth is that it tracks your location, so if you get a 2nd phone they still track you but you now carry around 2 phones.
In my case they didn’t disable the option to use any authenticator for 2FA.
So I just use another one.
I don’t see why forcing MS Authenticator will be better than any other authenticator.
The person who forces it is for sure not a security expert.
It will be easier to hackers to hack 2FA when they know what the authenticator app is, versus hundreds of different authenticator clients.
It will be easier to hackers to hack 2FA when they know what the authenticator app is, versus hundreds of different authenticator clients.
Security through obscurity is not security.
Additionally, any method that generates a code locally that needs to match the server will not be secure if you can extract the key used locally. Yes you can argue that more users makes a juicier target, but I’d argue that Microsoft has the resources spend reducing the chance of an exploit and the resources to fix it fairly quickly. Much more so than any brand new team.
The default authentication option for the company I work for is that a code is displayed in the screen of the device I’m logging into AND a push notification is sent to the Authenticator app, the app then prompts me to enter the code from authenticating device. To break that you’d need the username, password, a clone of the phone/device used to authenticate (or the original), and the user’s PIN for that device (MS Authenticator requires this to complete the authentication.)
Yes MS Authentication services do sometimes go down, and yea it can impact my ability to work
I am by no means a MS fanatic, but I’d trust them for mission critical authentication over something like Authy.
You can just use FreeOTP
My company has the same policy
Grab the shelter app from f Droid, add the Play store in shelter, move over to the work side Play store and install the authenticator.
Pause your work apps except for when you need to use the authenticator.
Prosper???
Alternatively, in a similar fashion. Use “hail” to auto pause any app you want so they don’t run in the background unintended.
Declare yourself a member of The Church of Emacs and claim your religious rights are being violated.