So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
Not a good solution but a decent one. Create a work profile on your phone, using Shelter (Fdroid, open source), and put all your work apps on that. Your data and processes are isolated and you can turn off all your work apps with a single tap. It’s like a secondary virtual phone.
Wow thanks friend! Does the 2FA work in this silo?
Just like anywhere else. All it does is sandbox work apps from personal apps so they don’t talk to eachother (not even screenshots!)
This is awesome!
As long as the work profile is on.
Thanks! I just installed it.
Demand hardware tokens for authentication.
Do hardware tokens support Linux nowadays?
Depends on the type of token. The type that would be needed in this case doesn’t need a computer to use, it displays the codes on a small screen.
There are also key generators used for electronic signatures that need to be connected to the PC; those can work on Linux but it depends on whether whoever provisioned them wanted to do that. Lots of companies who issue such tokens only put the Windows stuff on them.
You cannot be forced to give your employer access to your property, so just say that you cannot install it on your phone. Make sure you say that it isn’t possible. You don’t have to make it sound voluntary. You can just say “I cannot install this on my phone”. Even if the reason is because you refuse to install it, it doesn’t matter, that’s your call to make with your own property.
Your employer will either need to find another solution that you can use, or they will need to issue you a company phone so that you can use the mobile software they require you to use.
I work in tech, and have had multiple employees claim they only have “dumb” phones for what I’m pretty sure is this exact reason. And I never blame them, just put the heat on IT to find a solution.
The ms authenticator works in ‘reverse’ in that you type the code on the screen into the phone. I assume this is preferable to corporate as you can’t be social engineered into giving out a 2fa token. It also has a “no this wasn’t me” button to allow you to (I assume) notify IT if you are getting requests that are not you.
I don’t believe that the authenticator app gives them access to anything on your phone? (Happy to learn here) And I think android lets you make some kind of business partition if you feel the need to?
And the authenticator is configurable and they can enforce some device security like not rooted, bootloader locked, storage encryption is on through the Intune work profile. If you work on a bank, you don’t want the 2FA to even live on a device where the user gives root access to random apps that could extract the keys (although at this point come on you can probably afford Yubikeys).
As a user, not a fan, but as an IT department it makes complete sense.
You’re thinking of Intune and the Company Portal app. That’s where the device enforcement comes into play. Authenticator can be installed on any system regardless of its state and their enforcement policies.
If it is just TOTP, you can use any other TOTP app, such as Aegis or FreeOTP+.
And no, Microsoft cannot be trusted on not doing anything bad. The app is full of trackers and has an excessive list of permissions it “requires”.
For comparison, Aegis and FreeOTP+ work without trackers and way less permissions.
Microsoft has a long track record of leaks. Just naming the 2 most prominent:
Can you claim that you don’t have a smartphone? Then they’d either have to provide an alternative authentication method, or provide you with a phone.
I’ve been part of the Microsoft Bad crowd for well over 25 years now, but there are a few things that I will concede that MS has done well. Authenticator is one of them. I haven’t looked much into the privacy aspect of it, though.
If it has Microsoft’s name on it, the privacy implications are horrendous. Guaranteed.
Don’t do that. Just say they will provide you with an authenticator paid for by them.
Not as well as Bitwarden.
≥ and force Microsoft Authenticator on the (private) phones of both employees and volunteers.
Refuse to use the service until they provide you with a work appointed phone. Volunteers admitedly have a more difficult time with that but as someone else said you can indeed do text/call options.
a work appointed phone
With all the tracking that comes with it.
Not much of a privacy risk if it where used for a dedicated purpose and just left off in a drawer otherwise though. My employers pushed the notion of MS authenticator, but left the options to use regular TOTP available, just had to look a bit to find them. Even if they absolutely forced corp software though, a cheap wifi-only setup device is a viable option.
yes? use it solely for work purposes, at work, turn it off when you clock out…
your employer is not your friend.
If they want you to use a specific application they need to provide you with everything that is needed for you to run said application.
You can use Aegis and/or Yubico Authenticator instead, that’s what I do.
They said that the option to use other authenticators were disabled by their company
In my company at least, Aegis works for the first few logins, but it will keep nagging you have to switch to Microsoft’s authenticator and you’re locked out after a while.
My experience with it privately as well, and for Fido2 it says my system/browser is unsupported (Linux/Firefox) when it works on literally every other site.
You’re wasting your life trying to fight battles you don’t even understand.
Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
Thanks for the input?
Is your company mandating Push Authentication or are you entering 6-digit codes?
If it’s the former, MS Authenticator is the only option.
If it’s the latter, you can use any TOTP app you like, e.g. Aegis.
Afaik, Microsoft’s OTP implementation is proprietary and not TOTP.
But also, my understanding is you can select which MFA schemes you can use, and allow SMS, MS MFA, and TOTP.
Source: employer used to allow sms, locked it down, and totp apps can’t parse the MS authenticator QR codes.
It might depend on configuration. In the only case of Microsoft enforced 2FA I know of, it is just TOTP. Microsoft’s web interface nudges (tries to trick) you into using the MS Authenticator app, but that app is not needed. You can use any TOTP capable 2FA app, e.g. Aegis or FreeOTP+, both of which are also available through F-Droid and don’t require internet connection.
Just ask whether they can provide a phone as well.
The whole point of MS Auth is that it tracks your location, so if you get a 2nd phone they still track you but you now carry around 2 phones.
Everyone at my job who refused this and caused a huge stink are the ones that are seemingly not around about a year and half later. Not saying you aren’t right or anything but I put the stupid app on my phone.
I put the stupid app on my phone.
Never use your own personal phone for work related stuff.
If they want you to use a phone-based app, ask them to help you install it, then bring in an early-2000s feature phone that boots straight from ROM, no Android or KaiOS under the hood.
As in, force the company to get you a company phone.
Never use your own personal phone for work related stuff.
As someone who does this, my main issue is now I am carrying around two phones. This is a daily annoyance for me.
My next round I think I am going to drop the work phone and use Androids profile options. Setup a work profile on my personal phone and just use that. Then just have work reimburse me for my personal phone/plan.
I have no union and no leverage, they said no. What am I going to do, quit over using an app? My job pays my bills and I don’t have another one lined up, this isn’t the hill I’d die on.
What am I going to do, quit over using an app?
Why quit?
Ask them for help installing the app.
Then bring in an early-2000s flip phone with your SIM already in it, so you can prove that you are using it.
An employer cannot demand that you buy your own work tools unless it is written into the employment contract (auto mechanics, etc.). Provide them with a phone that they themselves cannot install the app on. Any early-2000s feature phone will not have an operating system with app functionality. An older but still smartphone-like BlackBerry running BBOS10 will also work in this regard, especially if you have uninstalled the Amazon App Store.
Even an Android phone whose newest possible version of Android pre-dates the oldest version that this app will install on can also work. For example, any Android phone which cannot be upgraded past Android 7 would be perfect with respect to MS Authenticator, as the current version will only install on Android 8 or newer. If you bring in a phone that has no ability to have Android 8 or later installed, your place of work will either have to exempt you or provide you with a work phone for that app.
You have solutions to keep work apps off of your personal devices, and few employers will have the legal ability to force you to buy a modern phone just for an app of their choosing. Moreover, it is your right to not have to suffer unreasonable employer demands just to have a job. That’s why worker protections exist in places where conservatives haven’t eviscerated those protections.
Act like you are a smartphone-phobe, and let them figure things out.
Yeah, again I never said you were wrong, just not the hill I’d die on for 40 dollars worth of compensation, If I were going to agitate and apply pressure at work it would be for a significant compensation boost to the tune of tens of thousands of dollars. This won’t work for me as I’m in an senior level engineering position.
You do what you think you need to do, buuuuuut…
I’m in a senior level engineering position.
You are already exceedingly difficult to trivially replace. It’s entry-level devs which are a dime a dozen. Senior level engineering positions are frequently open for many months because candidates in general are difficult to find, much less good candidates.
Colour me biased, but I strongly think you are significantly underselling your own power and influence. Any company worth working for isn’t going to turf a senior engineer over a $40 stipend unless their middle manglement positions are staffed with morons.
Well, it’s your calculus to make, not mine.
Management is absolutely filled with morons, otherwise they wouldn’t be in management, they would be in engineering doing something worthwhile. So this literally happened. We used to get stipends and we moved to a new PEO (outsourced HR) and no longer do. Many people complained about it and we were told tough luck. We have to use the MS Authenticator App. True story: last year a lot of people started complaining and agitating and talking about the app and other things that disappeared and they did a disappearing act too in layoffs because sales were down last year.
The sales this year are in the toilet, I’m probably getting a raise this year but half the people at the company probably aren’t. I’m not going to start pushing around my weight and seniority over 40 dollars. I would do that over the minimum 11% raise I need this year to cover inflation instead. I do not live in a place with worker protections, I am a resident in the US in a state that allows employers to fire you with no cause (at-will) and union bust (right-to-work). My salary is way higher than an equivalent in other countries so for now this pays the bills and I’m incentivized to hold on to this at least until I know I have another opportunity or contract. Right now I don’t so I’m not going to be worrying about using my phone for work. Who fucking cares lol.
Contact a lawyer that specialize in worker rights. If they make you use private property for work they should compensate you
You don’t live in reality if you think anyone is going to retain a labor lawyer and sue their employer over using an authenticator app without a phone stipend.
It doesn’t usually need to go to court if the lawyer can remind them of what laws they’re breaking
I’ve worked in the US for over 20 years and can’t imagine a single case where your plan would actually work without being retaliated against and fired a year or so later. I’m in both an at-will and right-to-work state. Again, if I were going to die on a hill and start an action against my employer that includes lawyers and risk losing everything, it would be for much higher compensation than 40 dollars a month.
You can say no, and if they won’t budge buy a cheap old phone off Swappa or craigslist or marketplace for $20 install Ms authenticstor on it and leave it at your desk.
- Juno ( @Juno@beehaw.org ) 1•21 days ago
What do you have against ms authenticator?
It’s proprietary closed source software, and if it’s mandated to run on your device, it could be collecting a lot of telemetry that is not in your best interest.
It increases your security risk surface, more software to be made secure and update etc it’s an extra burden
- Juno ( @Juno@beehaw.org ) 1•21 days ago
Why so negative? Maybe block posts about this.
In my case they didn’t disable the option to use any authenticator for 2FA.
So I just use another one.
I don’t see why forcing MS Authenticator will be better than any other authenticator.
The person who forces it is for sure not a security expert.
It will be easier to hackers to hack 2FA when they know what the authenticator app is, versus hundreds of different authenticator clients.
It will be easier to hackers to hack 2FA when they know what the authenticator app is, versus hundreds of different authenticator clients.
Security through obscurity is not security.
Additionally, any method that generates a code locally that needs to match the server will not be secure if you can extract the key used locally. Yes you can argue that more users makes a juicier target, but I’d argue that Microsoft has the resources spend reducing the chance of an exploit and the resources to fix it fairly quickly. Much more so than any brand new team.
The default authentication option for the company I work for is that a code is displayed in the screen of the device I’m logging into AND a push notification is sent to the Authenticator app, the app then prompts me to enter the code from authenticating device. To break that you’d need the username, password, a clone of the phone/device used to authenticate (or the original), and the user’s PIN for that device (MS Authenticator requires this to complete the authentication.)
Yes MS Authentication services do sometimes go down, and yea it can impact my ability to work
I am by no means a MS fanatic, but I’d trust them for mission critical authentication over something like Authy.
Grab the shelter app from f Droid, add the Play store in shelter, move over to the work side Play store and install the authenticator.
Pause your work apps except for when you need to use the authenticator.
Prosper???
Alternatively, in a similar fashion. Use “hail” to auto pause any app you want so they don’t run in the background unintended.