Can I refuse MS Authenticator?

Martin@lemmy.ml to Asklemmy@lemmy.ml – 208 points –

So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose "any authenticator" and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it's demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?

263

I work in cybersecurity for a large company, which also uses the MS Authenticator app on personal phones (I have it on mine). I do get the whole "Microsoft bad" knee-jerk reaction. I'm typing this from my personal system, running Arch Linux after accepting the difficulties of gaming on Linux because I sure as fuck don't want to deal with Microsoft's crap in Windows 11. That said, I think you're picking the wrong hill to die on here.

In this day and age, Two Factor Authentication (2FA) is part of Security 101. So, you're going to be asked to do something to have 2FA working on your account. And oddly enough, one of the reasons that the company is asking you to install it on your own phone is that many people really hate fiddling with multiple phones (that's the real alternative). There was a time, not all that long ago, where people were screaming for more BYOD. Now that it can be done reasonably securely, companies have gone "all in" on it. It's much cheaper and easier than a lot of the alternatives. I'd love to convince my company to switch over to Yubikeys or the like. As good as push authentication is, it is still vulnerable to social engineering and notification exhaustion attacks. But, like everything in security, it's a trade off between convenience, cost and security. So, that higher level of security is only used for accessing secure enclaves where highly sensitive data is kept.

As for the "why do they pick only this app", it's likely some combination of picking a perceived more secure option and "picking the easiest path". For all the shit Microsoft gets (and they deserve a lot of it), the authenticator app is actually one of the better things they have done. SMS and apps like Duo or other Time based One Time Password (TOTP) solutions, can be ok for 2FA. But, they have a well known weakness around social engineering. And while Microsoft's "type this number" system is only marginally better, it creates one more hurdle for the attacker to get over with the user. As a network defender, the biggest vulnerability we deal with is the interface between the chair and the keyboard. The network would be so much more secure if I could just get rid of all the damned users. But, management insists on letting people actually use their computers, so we need to find a balance where users have as many chances as is practical to remember us saying "IT will never ask you to do this!" And that extra step of typing in the number from the screen is putting one more roadblock in the way of people just blinding giving up their credentials. It's a more active thing for the user to do and may mean they turn their critical thinking skills on just long enough to stop the attack. I will agree that this is a dubious justification, but network defenders really are in a state of throwing anything they can at this problem.

Along with that extra security step, there's probably a bit of laziness involved in picking the Microsoft option. Your company picked O365 for productivity software. While yes, "Microsoft bad" the fact is they won the productivity suite war long, long ago. Management won't give a shit about some sort of ideological rejection of Microsoft. As much as some groups may dislike it, the world runs on Microsoft Office. And Microsoft is the king of making IT's job a lot easier if IT just picks "the Microsoft way". This is at the heart of Extend, Embrace, Extinguish. Once a company picks Microsoft for anything, it becomes much easier to just pick Microsoft for everything. While I haven't personally set up O365 authentication, I'm willing to bet that this is also the case here. Microsoft wants IT teams to pick Microsoft and will make their UIs even worse for IT teams trying to pick "not Microsoft". From the perspective of IT, you wanting to do something else creates extra work for them. If your justification is "Microsoft bad", they are going to tell you to go get fucked. Sure, some of them might agree with you. I spent more than a decade as a Windows sysadmin and even I hate Microsoft. But being asked to stand up and support a whole bunch because of shit for one user's unwillingness to use a Microsoft app, that's gonna be a "no". You're going to need a real business justification to go with that.

That takes us to the privacy question. And I'll admit I don't have solid answers here. On Android, the app asks for permissions to "Camera", "Files and Media" and "Location". I personally have all three of these set to "Do Not Allow". I've not had any issues with the authentication working; so, I suspect none of these permissions are actually required. I have no idea what the iOS version of the app requires. So, YMMV. With no other permissions, the ability of the app to spy on me is pretty limited. Sure, it might have some sooper sekret squirrel stuff buried in it. But, if that is your threat model, and you are not an activist in an authoritarian country or a journalist, you really need to get some perspective. No one, not even Microsoft is trying that hard to figure out the porn you are watching on your phone. Microsoft tracking where you log in to your work from is not all that important of information. And it's really darned useful for cyber security teams trying to keep attackers out of the network.

So ya, this is really not a battle worth picking. It may be that they have picked this app simply because "no one ever got fired for picking Microsoft". But, you are also trying to fight IT simplifying their processes for no real reason. The impetus isn't really on IT to demonstrate why they picked this app. It is a secure way to do 2FA and they likely have a lot of time, effort and money wrapped up in supporting this solution. But, you want to be a special snowflake because "Microsoft bad". Ya, fuck right off with that shit. Unless you are going to take the time to reverse engineer the app and show why the company shouldn't pick it, you're just being a whiny pain in the arse. Install the app, remove it's permissions and move on with life. Or, throw a fit and have the joys of dealing with two phones. Trust me, after a year or so of that, the MS Authenticator app on your personal phone will feel like a hell of a lot better idea.

This is incredibly well said and I agree 100%. I'll just add that software TOTP is weaker than the MS Authenticator with number matching because the TOTP seed can still be intercepted and/or stolen by an attacker.

Ever notice that TOTP can be backed up and restored to a new device? If it can be transferred, then the device no longer counts for the "something you have" second factor in my threat model.

While I prefer pure phishing-resistant MFA methods (FIDO2, WHFB, or CBA), the support isn't quite there yet for mobile devices (especially mobile browsers) so the MS Authenticator is the best alternative we have.

Ever notice that TOTP can be backed up and restored to a new device? If it can be transferred, then the device no longer counts for the "something you have" second factor in my threat model.

The administrator can restrict this.

We can restrict the use of software TOTP, which is what companies are doing when they move users onto the MS Authenticator app.

Admins can't control the other TOTP apps like Google Authenticator or Authy unless they go full MDM. And I don't think someone worried about installing the MS Authenticator app is going to be happy about enrolling their phone in Intune.

Edit: And even then, there is no way to control or force users to use a managed device for software TOTP.

No, you can actually block them from adding additional devices. Once they add a TOTP device, they can not add or change to another without admin approval.

But more to the point, if the admin requires the management of the authentication software, I.e. Bitwarden or authy or whatever, then they clearly have concerns about the security of the MFA on the user's device. If text messages are no longer considered secure then we move to the TOTP apps, but now if we're just summarily deciding the apps are no longer considered secure, we're demanding a secure app controlled by the admin must be used for MFA.

Can we not see where this is going next? Are we really under the delusion that because we have this magical Microsoft Authentication app now, MFA need never become more secure? This is the end of the road, nothing else will be asked of the user ever again?

If the concern is for the security of MFA on the user's side of that equation, then trying to manage that security on a device that company does not own is a waste of time. Eventually this is not going to be enough.

So let's just skip this step entirely and move on to fully controlled company devices used for MFA.

Look man, it's okay to be wrong. It's a natural part of growth.

But when you double down on your ignorance instead of taking the opportunity to open your mind and listen to the experts in the room, you just end up embarrassing yourself.

Try to be better.

To add on, at my work we started getting yubikeys for the people who didnt want Microsoft's authenticator on their phone and found they still need to download the mfa to set up the yubikey in the first place. So its not a perfect solution if you dont want the authenticator to touch your phone at all.

I can also confirm that the help desk members who are not enlightened about Microsoft will ridicule you for not wanting the MFA even if its reasonable to not want Microsoft on your phone. As much as we think all techs are Linux nerds, I have the opposite at my work. Some of the higher up techs are constantly trying to get people to switch to windows 11...

When I got the few emails from users at my organization who refused to use the app on their phones, I was ecstatic and I went to bat for them with our section director who insisted on making it mandatory, no exceptions.

Unfortunately most people in IT seem to just be lazy and believe "if it makes my job easier, absolutely no other concerns are relevant".

Unless you are going to take the time to reverse engineer the app and show why the company shouldn't pick it, you're just being a whiny pain in the arse.

You're god damn right they are, and they have every right to be. I'm in It too and I'm absolutely sick of the condescending attitude and downright laziness of people in the field who constantly act like what the users want doesn't matter. If they don't want it on their personal device, they don't need a damn reason.

This job is getting easier all the time, complaining because users don't want Microsoft trash on their phone might make marginally more work for you is exactly as whiny.

Or, throw a fit and have the joys of dealing with two phones. Trust me, after a year or so of that, the MS Authenticator app on your personal phone will feel like a hell of a lot better idea.

I see this all the time and it's downright hysterical. Who the hell can't handle having to have two devices on them?

"Oh yeah you'll regret asking for this! Just wait till you have to pull out that other thing in your bag occasionally! You'll be sorry you ever spoke up!"

Also, develop some pattern recognition. If you can't see how Microsoft makes this substantially worse once other methods have been choked out, you haven't learned a thing about them in the last 30 years.

You’re god damn right they are, and they have every right to be. I’m in It too and I’m absolutely sick of the condescending attitude and downright laziness of people in the field who constantly act like what the users want doesn’t matter. If they don’t want it on their personal device, they don’t need a damn reason.

Sure, and I suspect they company will have another option for folks who either can't or won't put the application on their personal device. It's probably also going to be far less convenient for the user. Demanding that the company implement the user's preferred option is where the problem arises.

complaining because users don’t want Microsoft trash on their phone might make marginally more work for you is exactly as whiny.

It's a matter of scale. In a company of any size, you are going to find someone who objects to almost anything. This user doesn't like Microsoft. Ok, let's implement Google. Oh wait, the user over there doesn't like Google. This will go on and on until the IT department is supporting lots of different applications and each one will have a non-zero cost in time and effort. And each of those "small things" has a way of adding up to a big headache for IT. We live in a world of finite resources, and IT departments are usually dealing with even more limited resources. At some point they have to be able to cut their losses and say, "here are the officially supported solutions, pick one". While this creates issues for individuals throughout the organization, it's usually small issues, spread out over lots of people versus lots of small issues concentrated in one group.

If you're in IT, you've likely seen (and probably supported) this sort of standardization in action. I can't count the number of places where every system is some flavor of Dell or HP. And the larger organizations usually have a couple of standard configurations around expected use case. You're an office worker, here's a basic laptop with 16Gb of RAM, and mid level CPU and fuck all for a GPU. Developer? Right, here's the top end CPU, as much RAM as we can stuff in the box and maybe a discreet GPU. AI/ML work? here's the login for AWS. Edge cases will get dealt with in a one-off fashion, there's always going to be the random Mac running around the network, but support will always be sketchy for those. It's all down to standardizing on a few, well known solutions to make support and troubleshooting easier. Sure, there are small shops out there willing to live with beige box deployments. Again, that does not scale.

I see this all the time and it’s downright hysterical. Who the hell can’t handle having to have two devices on them? “Oh yeah you’ll regret asking for this! Just wait till you have to pull out that other thing in your bag occasionally! You’ll be sorry you ever spoke up!”

Hey, if that's your thing, great. But, there is a reason BYOD took off. And a lot of that was on users pushing for it. Having been on the implementation side, it certainly wasn't IT or security departments pushing for this. BYOD is still a goddamn nightmare from an insider threat perspective. And it causes no end of headaches for Help Desks trying to support FSM knows what ancient piece of crap someone dredges up from the depths of history. Yes, it's a bit of cop out to give the user a crappy solution, because they push back against the easy one. But, it's also a matter of trying to keep things working in a standardized fashion. A standard configuration phone, with the required pre-installed, gives the user the option they want and also keeps IT from having do deal with yet more non-standard systems. It's a win for everyone, even if it's not the win the user wanted.

Also, develop some pattern recognition. If you can’t see how Microsoft makes this substantially worse once other methods have been choked out, you haven’t learned a thing about them in the last 30 years.

I do understand how bad Microsoft can be. I was an early adopter of Windows Me. And also have memories of Microsoft whining about de-coupling IE from the OS. And I don't want MS to win out as the authentication app for everyone. That said, I still believe that the Microsoft Authenticator app on a personal device is the wrong hill to die on. There is a lot of non-Microsoft software out there and there are plenty of options out there. But, Microsoft software using the Microsoft app isn't surprising or insidious.

Who the hell can't handle having to have two devices on them?

Hillary Clinton

Hey now, this doesn't fit with our narrative of the evil evil company here. Get this out of here! Just because it's a 2FA app doesn't negate that it's microshitz!

Fuck me I wish we could get more of these actual thoughtful answers instead of generic "hurdurr muh privacy megacorp bad"

All extremely good reasons to need the MFA.

Howerver it is on the company to provide the hardware. My phone is my phone. They didn't buy it, they don't pay for it, they don't get any say in what gets installed. I don't have to pay for my company provided computer either, so I don't care what they need me to install on that.

My phone is my phone. They didn’t buy it, they don’t pay for it

And that's completely fair. As I said above, the end result will almost certainly be a company provided phone with company provided apps. I've seen (and had) both solutions. It all comes down to how you view the risks. If you see running a Microsoft app on your personal phone as too great a risk to your privacy, then go for the two phone option. Personally, I don't see that as a high risk and think it's kinda silly.

You work in cybersecurity, yet you have company-controlled assets on your personal phone?

X DOUBT

Either you don’t give a single sh*t about your personal privacy, or…

And no, this isn’t “Microsoft bad”, this is “your company is inherently and fundamentally untrustworthy”. The app is, IMHO, one of the best ones out there, I would just never trust any company I worked for to keep their nose out of my personal life. A lot of the software that companies use to lock down mobile devices are hella invasive, and any company asset on a phone typically includes a demand to install the security software as well. Any of that shit should ALWAYS be on a company-provided phone, bro.

You work in cybersecurity, yet you have company-controlled assets on your personal phone?
X DOUBT
Either you don’t give a single sh*t about your personal privacy, or…

Here's the rub, I've been through enough of this to take a realistic, risk based approach to security. Knee-jerk reactions like the one you are giving are not really useful. Step back for a moment and think about what's going on here. First and foremost, this isn't MDM on a device, that's entirely different from installing the MS Authenticator app from the public Google Play store and adding a work account to it. So no, the company is not able to go rooting around in the user's device willy-nilly. Second, even with MDM, IT control of the user's device isn't what it used to be. Google implemented containerization of work profiles some time back. Without Work Profiles and containerization, I would agree that enrolling my personal device in MDM carries too much risk to my privacy and also having my device remote wiped. But, the advance of technology has altered that calculus. While there are still risks to consider with having a work profile on my device, it's also not as worrisome as it used to be.

Security isn't some binary thing. There is no hard and fast set of rules, given from some entity on high. It's a game of deciding what risks are acceptable and what risks need to be mitigated and how. If you work for a company which you believe is trying to use MDM to go rooting around in your personal device, I'd suggest finding an new job. This isn't to say you should trust the company 100%; but, you need to take a realistic look at what the ask is, what risks it carries and if the trade-off in convenience is worth it. The risks inherent in the MS Authenticator app are basically nil. At least on Android, you can audit it's permissions and disable the ones you don't want it to have. The app provides zero control over the device to the company. Really, there's just nothing there to get your panties in a bunch about.

But hey, if knee-jerk reactions are your thing, then you do you. This whole tempest in a teapot still amounts to "Microsoft bad".

No company has any right to force people to use their private phones for company purposes. I'd absolutely refuse to let them install anything whatsoever on my phone. If they want me to use a phone for work, they'll have to give me one.

Many work places require employees to bring their own tools (eg auto mechanic). Requiring a phone or tablet is probably legal.

I think if that's the case, I'd get an inexpensive phone with a prepaid plan... and make it clear that it gets turned off if not on call or otherwise pre-arranged.

This is what it's heading to eventually. This "authentication using a personal device that the IT department can't control" crap will eventually evolve into "they must control the device". Which means they just need to quit being cheap and buy devices they can manage for this purpose.

Or leave it in the office, always on charge, and with no lock screen so anyone can take the phone and accept a request

That sounds like a terrible security practice but at least it only puts your company at risk

2 more...

No need for a prepaid plan I haven't used the MS authentication but almost all 2FA apps actually don't need Internet access (apart from the initial setup). I would just graph some old phone and connect it to WiFi.

2 more...
2 more...

No company has any right to force people to use their private phones for company purposes.

Got a reputable source on that one that’s valid for all 50 states?

2 more...

Not a good solution but a decent one. Create a work profile on your phone, using Shelter (Fdroid, open source), and put all your work apps on that. Your data and processes are isolated and you can turn off all your work apps with a single tap. It's like a secondary virtual phone.

Wow thanks friend! Does the 2FA work in this silo?

Just like anywhere else. All it does is sandbox work apps from personal apps so they don't talk to eachother (not even screenshots!)

Don't mix business and personal.

Don't Install any corp app on a personal phone. No matter what.

I agree but this is the next best option. This essentially creates a OS-level separation between business and personal apps.

Don't mix business and personal

This method basically is creating two phone with one. Why wouldn't this be a good solution with keeping business and personal separate?

If information is ever subject of a subpoena, your phone could be seized as evidence.... OS separation doesn't matter. Just like you wouldn't check corporate email or keep corp documents on your personal laptop...because your laptop could be seized for any corp legal action

Yeah that is a fair point.

I have never been involved in anything like that, so I don't know how big of a risk that actually is for most people.

And I would think as we get more and more cloud dependent any data on the phone would also be stored in company servers. So I am not sure the value a subpoenas for phones would be.

If it gets that far I would wonder if there could be a case for them of taking both personal and work phones as well just to be sure no one was talking outside of the company's standards communications.

Again I Have no idea how legally that would all go down, but I do think you being up a very good point the more speration you have between personal and work the less grounds legal action has to stand on to enter into your personal devices.

You cannot be forced to give your employer access to your property, so just say that you cannot install it on your phone. Make sure you say that it isn't possible. You don't have to make it sound voluntary. You can just say "I cannot install this on my phone". Even if the reason is because you refuse to install it, it doesn't matter, that's your call to make with your own property.

Your employer will either need to find another solution that you can use, or they will need to issue you a company phone so that you can use the mobile software they require you to use.

I work for a municipal government where we all receive a phone stipend because of 2FA.

If we use our personal phones for city business, they become searchable in Open Records Requests.

Also, the Microsoft Intune app, which checks if your device is compliant, requires a high level permission which allows it to remote wipe your device. This is in case your device has sensitive data and gets stolen/falls into the wrong hands. This is a very risky direction where we are handing off admin access of our phone to our employers.

You don't need the Intune app to use the authenticator.

True, true. This is off-topic.

But I remember that for a certain scenario (I don't remember exactly), my work app requested me download Intune, without which the app refused to start/update.

I work in tech, and have had multiple employees claim they only have "dumb" phones for what I'm pretty sure is this exact reason. And I never blame them, just put the heat on IT to find a solution.

Demand hardware tokens for authentication.

Do hardware tokens support Linux nowadays?

Depends on the type of token. The type that would be needed in this case doesn't need a computer to use, it displays the codes on a small screen.

There are also key generators used for electronic signatures that need to be connected to the PC; those can work on Linux but it depends on whether whoever provisioned them wanted to do that. Lots of companies who issue such tokens only put the Windows stuff on them.

Or tell your IT department to think ahead and skip the part where we use personal devices to ensure the security of company devices and data. That will eventually change, and we're going to look back on it the same way we look back on letting users receive work emails on any device with nothing but a password.

If you want security, use company devices. It's really simple.

Can you claim that you don't have a smartphone? Then they'd either have to provide an alternative authentication method, or provide you with a phone.

I've been part of the Microsoft Bad crowd for well over 25 years now, but there are a few things that I will concede that MS has done well. Authenticator is one of them. I haven't looked much into the privacy aspect of it, though.

Don't do that. Just say they will provide you with an authenticator paid for by them.

If it has Microsoft's name on it, the privacy implications are horrendous. Guaranteed.

Strong disagree with Microsoft Authenticator being well done - anything that is needlessly incompatible with competitors is bullshit. Either make your authenticator use the standard or fuck off.

Push Authentication in the MS Authenticator is Microsoft's proprietary thing. And I think that's probably what we're talking about here.

There's half a dozen other apps that do similar stuff, PingID, SecurID etc.

Might be interpreting your comment wrong, but it is compatible with competitors. You don't need to use Authenticator as your 2FA for a personal Microsoft account, and you can use Authenticator in place of any other TOTP app. It's OP's IT department that have chosen to disable the option to use other apps.

I did this at my work and got a little dongle that displays a string of numbers I have to enter when prompted.

Except that the Authenticator is being forced in place of other, third party apps.

I don't mind using my phone to authenticate. But now I'm not allowed to do it from Bitwarden. I must use their app.

Are you forced to use their app or are they just very insistently trying to trick you into using it? I.e., have you tried with Bitwarden or any other TOTP capable app?

I’m using a non-Google authenticator even though Google hit me with an “install Google Authenticator” dark pattern. Was kinda surprised it worked. Then I was miffed.

The ms authenticator works in 'reverse' in that you type the code on the screen into the phone. I assume this is preferable to corporate as you can't be social engineered into giving out a 2fa token. It also has a "no this wasn't me" button to allow you to (I assume) notify IT if you are getting requests that are not you.

I don't believe that the authenticator app gives them access to anything on your phone? (Happy to learn here) And I think android lets you make some kind of business partition if you feel the need to?

And the authenticator is configurable and they can enforce some device security like not rooted, bootloader locked, storage encryption is on through the Intune work profile. If you work on a bank, you don't want the 2FA to even live on a device where the user gives root access to random apps that could extract the keys (although at this point come on you can probably afford Yubikeys).

As a user, not a fan, but as an IT department it makes complete sense.

You’re thinking of Intune and the Company Portal app. That’s where the device enforcement comes into play. Authenticator can be installed on any system regardless of its state and their enforcement policies.

For now.

The point is, the patterns in software security are pretty clear. People will keep finding ways around the authenticator, eventually someone will get their account compromised, and at some point it will get more restrictive.

It doesn't matter how it works now, because once it's normalized that this Microsoft app must be on your phone so you can work, and it must operate exactly as it wishes to, Microsoft will be able to start pushing more restrictions.

At a certain point, the device simply has to be verified as secure in and of itself before it can keep another device secure. Meaning your phone will be brought under your workplace's security policies.

What? No. This is complete hyperbole and speculation, and off at that too. Their Authenticator is used for personal accounts as well as managing 3rd party TOTP tokens. It’s no different than Google Authenticator, DUO Authenticator or Okta Authenticator. I could see that on a far end if they come out with a business only version, but given that everything is backed on their same platform it doesn’t behoove them to do that.

Hello, this is your IT department/Microsoft/the popes second mistress. We need you to test/revalidate/unfuckulate your Microsoft Authenticator by entering this code….

Yeah and that wouldn't work, as they would not be able to generate a valid 2FA code.

Bad actor goes to super secret page while working on 'fixing' and issue for the user. They then get the 2 digit request code and ask the user to input it to 'resolve' the issue.

Mostly the same as any other 2fa social engineering attack I guess, but the users phone does display what the code is for on the screen which could help.... But if your falling for it probably not.

Yeah but that's a wholly different attack, and oodles more complex to pull off. Doable, sure. But it's absolutely not the same thing as phishing for a valid 2FA code that is generated user-side.

And don't get me wrong, both are overall very security. But there is a case to be made for push auth.

It's not that different is it? You still need to get a user to share/enter a live code?

One requires the user to go to a bad page and get a spoofed 2FA code so the bad guy can log in.

Do you know how hard that is? Not worth it for 99% of hacks.

The other requires that the user read off their six digit code on their device.

Trivial easy since they already have the user’s password.

It requires the bad guy to go to the page and ask the user to enter the code the bad guy gets

How does the bad guy get to the page?

Then how does he get the user to enter in that code into their mobile device?

You can probably get the URL for a companies SharePoint pretty easily, but you need a login. You are able to get a PAs credentials through a phishing link etc but need the 2fa code.

You do the IT phishing attack (enter this code for me to fix your laptop being slow...), get them to enter the code and now you have access to a SharePoint instance full of confidential docs etc.

I'm not saying it's a great attack vector, but it's not that different to a standard phishing attack.

You could attack anything that's using the single sign on. Attack their build infrastructure and you now have a supply chain attack against all of their customers etc.

It helps but its not enough to counter the limits of human gullibility.

I mean the only real issue I see with this is that they require people to use their personal phones for this. Should not mix work and private data, and this should be in the interest of the corp, too. As in, issue work phones!

From a practical PoV - most people have their phone on them all the time. A work phone or a physical token can (and will) get forgotten, a personal phone much less.

Yeah but legally it's a bit more iffy once something gets breached and then it turns out that no, private phones are not covered by the stuff you signed for work security (because they usually cannot be, rather most written stuff explicitly forbids people from using their private phones for stuff like this, even in company who expect workers to do it).

If it is just TOTP, you can use any other TOTP app, such as Aegis or FreeOTP+.

And no, Microsoft cannot be trusted on not doing anything bad. The app is full of trackers and has an excessive list of permissions it "requires".

For comparison, Aegis and FreeOTP+ work without trackers and way less permissions.

Microsoft has a long track record of leaks. Just naming the 2 most prominent:

  1. Microsoft Edge leaks every single URL to Microsoft servers (source)
  2. There are lots of reports that Microsoft had their general key stolen and not even notify it for months. It is unclear who had acces to that key. This is putting anyone at risk who uses any Microsoft product. (See for example here)

Maintain a veil of separation between personal and business. Just say you can't install it.

They must then provide you with needed hardware.

Just say you don't have a smartphone....you have a flip phone...doesn't matter.

And don't fall for the argument that companies require ties also, they can require cell phones..... Not at all same thing.

Just say you don't have a smartphone....you have a flip phone...

Recently looked into this, pretty much 100% of currently-available flip phones are still smartphones under the hood, running either Android or KaiOS. And you can still install apps on these phones.

The only truly “dumb phone” appears to be the Rotary Un-Phone, or a vintage feature phone from the early 2000s that boots straight from ROM - instant-on, no visible boot process whatsoever.

Is your company mandating Push Authentication or are you entering 6-digit codes?

If it's the former, MS Authenticator is the only option.

If it's the latter, you can use any TOTP app you like, e.g. Aegis.

Afaik, Microsoft’s OTP implementation is proprietary and not TOTP.

But also, my understanding is you can select which MFA schemes you can use, and allow SMS, MS MFA, and TOTP.

Source: employer used to allow sms, locked it down, and totp apps can’t parse the MS authenticator QR codes.

Not true. Work at an MSP that has hundreds of Microsoft accounts in our password managers with TOTP. We even migrated password managers and had no issues with TOTP.

That said, we are moving away from shared admin accounts and we will have delegated access enabled with JIT for better security soon.

Ok. Did a quick read. And I think I mixed my words a little.

Yes, Active Directory supports TOTP fine.

But my understanding is rollouts can disable TOTP, and instead force the use of the proprietary scheme requiring the MS Authenticator app (which also supports TOTP) that uses push notifications to the device.

As is the case with my employer. They didn’t enable TOTP, and I am unable to use the provided MFA QR code with 1Password.

When you start the MFA registration process for a Microsoft account and select the Authenticator as the method there is a link at the bottom of the page about using a different app. Sure it will only generate a rotating code instead of the “easier” method of just entering a 2 digit number when prompted on the phone, but entering 6 numbers isn’t that much more difficult than 2.

Yes, this link has been disabled as per (dumb) organisation policy.

It might depend on configuration. In the only case of Microsoft enforced 2FA I know of, it is just TOTP. Microsoft's web interface nudges (tries to trick) you into using the MS Authenticator app, but that app is not needed. You can use any TOTP capable 2FA app, e.g. Aegis or FreeOTP+, both of which are also available through F-Droid and don't require internet connection.

≥ and force Microsoft Authenticator on the (private) phones of both employees and volunteers.

Refuse to use the service until they provide you with a work appointed phone. Volunteers admitedly have a more difficult time with that but as someone else said you can indeed do text/call options.

I work for a global company and help manage MFA for everyone...I use Google's authenticator on my personal phone as they didn't give me a work phone.

I still don't understand why a hardware token isn't being used. It's such a low cost option when compared to buying a phone and plan for a user.

Because you can’t call someone on a hardware token.

But not everyone needs to have a work phone, some just need to authenticate

17 more...

If they want you to use a specific application they need to provide you with everything that is needed for you to run said application.

Just ask whether they can provide a phone as well.

The whole point of MS Auth is that it tracks your location, so if you get a 2nd phone they still track you but you now carry around 2 phones.

You can say no, and if they won't budge buy a cheap old phone off Swappa or craigslist or marketplace for $20 install Ms authenticstor on it and leave it at your desk.

What do you have against ms authenticator?

It's proprietary closed source software, and if it's mandated to run on your device, it could be collecting a lot of telemetry that is not in your best interest.

It increases your security risk surface, more software to be made secure and update etc it's an extra burden

Why so negative? Maybe block posts about this.

You can use Aegis and/or Yubico Authenticator instead, that's what I do.

They said that the option to use other authenticators were disabled by their company

In my company at least, Aegis works for the first few logins, but it will keep nagging you have to switch to Microsoft's authenticator and you're locked out after a while.

How did know you're not using the MS Authenticator? Does the MS app phone home what logins your using?

Apparently MS uses a "proprietary PhoneFactor 2FA solution" that Aegis doesn't support.

My experience with it privately as well, and for Fido2 it says my system/browser is unsupported (Linux/Firefox) when it works on literally every other site.

Unless it turns out that only the supid MS one works on that specific company.

I work for an MSP servicing 5k users all of whom I force to use M$ Auth app. Because it is the best Authenticator on the market, their company is paying for it, and because I look at the sign in logs for 3-4 different organizations every day to see literal hundreds of foreign sign-in attempts that fail due to M$ MFA. Yeah fuck monopolistic megacorps but understand when they provide an actual good product that is safe to use and actively protects you as an individual better than anything else out there.

All that said, the most likely reason is that they don't want to make a document explaining how to set up MFA for each of the dozen+ apps out there and they certainly don't want to talk to users who don't know what they are doing with which ever app their kid set up for them

I'm sure you know what you're doing better than 80% of the other employees in your office in this regard but I can tell you from experience, when one person gets their way, everyone wants theirs too.

You left out two things:

  1. It doesn't change anything for the company if they allow the normal TOTP protocol in MS Authenticator. People who don't care will use it. People who care can use other authenticator apps.
  2. The reason companies insist on MS Authenticator is because it reports the employee's location.
  1. It doesn't change anything for the company with exception to billable IT time used when the authenticator confuses users which is already high with only one authenticator.

  2. It doesn't report location, Entra login reports location regardless of authentication method used.

  1. Why should users care about the company's billables, first of all. Secondly, it's a red herring because there's nothing compelling them to offer support for 3rd party authenticators or even mention them. It's just a flip switch in the settings. Savvy users will try a 3rd party first anyway.
  2. Potayto, potato. The location info comes from and including Authenticator. What is the point of fetching location in a TOTP generator if not to check up on it?
  1. The company makes the rules under which you are employed. If you don't like it, legislate against it or find another employer. Also, like I said, there are no 3rd party authenticators that are more secure with entra ID.

  2. Like I said, M$ auth literally does not report location while authenticating. It only pulls location requests when signing in through the app to create the authentication token and even then it is not a requirement. Entra pulls location using your IP address on the device you are signing in with.

I don't really get the rub here, JM all for separating work devices and personal devices but the 2fa apps don't leak any info and the company can't "do" anything to your phone remotely. The apps work in air plane mode. I also want to bet more than half the users that complain about this use the companies free WiFi.

Get a flip phone and say you can't install it, however SMS 2fa is very insecure.

The apps work in air plane mode

They're talking about Microsoft Authenticator, not any MFA. It doesn't work on airplane mode if they require number matching.

also want to bet more than half the users that complain about this use the companies free WiFi.

...and? The wifi isn't installed on their phone, the fuck does that matter?

You're wasting your life trying to fight battles you don't even understand.

Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?

Thanks for the input?

There's no "battle" here. It's their phone, end of discussion. They don't need to justify to you or anyone what they do and do not want on it.

What you don't understand is that a worker does not need your permission or approval to exercise their right to control their personal property, and that right far exceeds any concerns about how easy the IT admin's job is.

Or is this a battle I can pick to shield my self from ms

Read the post before coming to the comments to reply.

OP is asking on here about whether or not to pick this battle and fight his company over it. Yes, you are probably technically correct that a company can't force you to install an authenticator app on your phone. However, that is a battle that you will have to fight with them that will accomplish essentially nothing if you win.

In Canada right now there is a major auto manufacturer that is being sued by the union over this very issue. It is a years long legal case that had to be escalated through the union, it's lawyers ,and now arbitration. Does that not sound like a battle to you?

In my case they didn't disable the option to use any authenticator for 2FA.

So I just use another one.

I don't see why forcing MS Authenticator will be better than any other authenticator.

The person who forces it is for sure not a security expert.

It will be easier to hackers to hack 2FA when they know what the authenticator app is, versus hundreds of different authenticator clients.

I'm also not a fan of MS spyware.

But in defence of the MS authenticator, the 2FA prompts it sends are very convenient, how they pop up and ask for the number displayed on screen, its definitely more secure than just the one time code.

Plus it also shows what phone the user is using when they install and configure the authenticator app, this is also very useful if you suddenly see the user accessing their mail or one drive from another mobile device.

It will be easier to hackers to hack 2FA when they know what the authenticator app is, versus hundreds of different authenticator clients.

Security through obscurity is not security.

Additionally, any method that generates a code locally that needs to match the server will not be secure if you can extract the key used locally. Yes you can argue that more users makes a juicier target, but I’d argue that Microsoft has the resources spend reducing the chance of an exploit and the resources to fix it fairly quickly. Much more so than any brand new team.

The default authentication option for the company I work for is that a code is displayed in the screen of the device I’m logging into AND a push notification is sent to the Authenticator app, the app then prompts me to enter the code from authenticating device. To break that you’d need the username, password, a clone of the phone/device used to authenticate (or the original), and the user’s PIN for that device (MS Authenticator requires this to complete the authentication.)

Yes MS Authentication services do sometimes go down, and yea it can impact my ability to work

I am by no means a MS fanatic, but I’d trust them for mission critical authentication over something like Authy.

4 more...

Thanks people, some good replies here. I could demand a work phone, but that's impractical, dragging around two phones etc. I'd like all my 2FA in Aegis and not have to think and pick the right app first, let alone pick and unlock the right phone. The Shelter option is very nice, didn't know about that. If my company won't budge I'm doing that. When push comes to shove I could even use outlook that way on my phone.

It's worth adding I greatly prefer MS Auth style authentication, since I don't have to find the right entry to read the Auth code and then write it on the other computer. Instead MS pops a notification and you either type or select the right number, verify with fingerprint and done. Much more convenient.

It often tells you what you login into and where you are attempt to log in from, so it's a few extra layers of security for those that have that awareness to check those details.

Get a used /cheap phone or tablet, only turn it on or enable wifi when you need the app. Don't use it for anything else. I think that covers all the bases.

If you're in the US, that could very well get you fired in any "at will employment" state. It's shitty, fucked up, and should be illegal, but the legislators seem to represent wealthy corporations way more than they represent their human constituents (GOP especially).

While it’s not technically safer, MS does make it a lot easier to set policy’s where you check a box for MSAuth.

Since the config is less complex and easier, it’s demonstratably safer to implement it this way.

This could indeed be a valid reasoning. I'm going to investigate a bit. If you can easily cough up some MS documentation page on this topic please do

I managed to get around the MS auth app and am using aegis right now.

You can just use FreeOTP

My company has the same policy

Authentication methods in Entra ID (which is presumably what we are talking about as the identity provider) include Microsoft Authenticator and software otp.

Authenticator is push authentication, as described elsewhere here. If for some reason you're not getting push notifications, you can use an OTP code instead, but this still requires that you have push authentication configured in Microsoft Authenticator.

You can only use Software OTP in other applications if your administrator has explicitly allowed use of Software OTP as an authentication method, and also excluded you from being required to use Authenticatior - otherwise Authenticatior would always 'win' as choice of mechanisms because it is more secure.

Several states in the USA require that employees who are made to use their personal phone for business purposes be compensated. The enforcement method and process for requesting same is naturally very obscure.

Grab the shelter app from f Droid, add the Play store in shelter, move over to the work side Play store and install the authenticator.

Pause your work apps except for when you need to use the authenticator.

Prosper???

I used bluestack to emulate android and us MS Auth when I had no choice.

It's a waste of space, but it doesn't go on your phone at least

Lots of great conversation here, I also work somewhere where this is required. If I didn't need my phone for access to chat, I just wouldn't use it for work. Alternatively, my phone has a work profile so I use that for any work related or non-FOSS apps. My IT guy even approved of my methods and said do the minimum and never more with tech.

We let anyone use any authentication app. The Microsoft one is the best one. I'm pushing to make us exclusive because I'm sick of the IT support guys trying to support a dozen apps. You don't have to use your Microsoft account provided to use the app or back up your credentials.

I’m pushing to make us exclusive because I’m sick of the IT support guys trying to support a dozen apps.

While I understand this... Why not just refuse to support and NOT remove the capability for all those who don't need support and work just fine with their own? It's not like TOTP isn't a solved problem at this point.

Eg. "we only support MS auth, If you choose to use your own you will not receive any company support."

Because that shit only works in fantasy land. If you can use it, employees WILL expect support and will repeatedly raise hell if they don't get it. Is a losing battle.

The option to use TOTP is already well hidden. It's not like someone who does not know what he is looking for and uses an Authenticator already will accidentally select it.

Because that shit only works in fantasy land.

Glad to know my company, and the companies I contract for are fantasy land then.

employees WILL expect support

And they will get it if they use the company default options.

Nothing about this is losing. I'm CIO for 3 separate companies (2 by contract). None of them have issues with this type of policy. We do bare minimum to not limit the toolset they can use and support a specific set of tools that we like the best. That's it. Those who are smart enough to use their own tools clearly know enough about IT to make good decisions that we can trust. The rest use the default tools... and we support those tools explicitly.

More importantly, we're not shitting on those who ARE making good decisions overall, but just have a preference. That makes the employees feel heard and keeps them happy. Keeping them happier keeps everyone more productive.

Upvote for providing an explanation, though I personally favour employee freedom.

Is Microsoft Authenticator available on Linux?

Ms auth is a mobile only application. Not even available on windows or macOS. The point of it is to provide a second factor of authentication in the for of "something you have". There are a few factors that can be used for authentication. Something you know (password), something you have (hardware like a key or a phone), and something you are (iris scan, DNA, fingerprint, other biometric). Ms auth uses something you have and something you are to authenticate most users. You provide a password and then you prove you have your cellphone and your cellphone checks your biometrics to see if you are you. In that way, it is effectively checking all 3 factors.

Why couldn't "laptop" be a second factor?

It is using windows hello on compatible machines and through persistent tokens on Mac and Windows machines not compatible with hello. You have to create that token with a known factor such as a mobile device but outside of that, users almost never have to sign in with persistent tokens.

At what point can you tax deduct your phone as a business expense?

If your company is enforcing geographic location as a security qualifier then MS Authenticator can poll your device. Also you can use push authentication with the MS suite.

It's done by IP address not phone or laptop GPS.

I just got it enabled and it most definitely wants your location. It has to poll my device's location once an hour by my work's policy.

That might be an optional requirement which can be set by the admins. On my phone (Android) I have disabled location permissions for the MS Authenticator app. I have no issues logging in. I also regularly have to deal with alerts for users with improbable geographic logins, because they have a VPN on their phone. So, they login from their PC from one location and then their phone logs into Azure from the other side of the planet moments later.

Yes it's optional. A lot of companies have compliance requirements where none of this would fly.

Your employer might use MS Authenticator but still let you do call or SMS 2FA. If you use a VOIP number, it won't be vulnerable to SIM card swapping attacks.

SMS auth is going away, it is not considered secure in the last few environments I have worked in

SMS auth is going away,

OP is looking for an alternative to MS Authenticator. If this works as an alternative temporarily, they may still consider it worth it.

[I]t is not considered secure in the last few environments I have worked in

Yes, SMS 2FA is usually not secure due being vulnerable to SIM card swapping attacks, that's why I explicitly recommended using a VOIP number, which would not be vulnerable to SIM card swapping attacks.

And here I am wishing they would come out with an authenticator watch app, so I didn't have to do all the work of taking my phone out of my pocket and swiping a few times.

What's needed is an online 2fa service that just takes a username and copies the code to the clipboard.

/s before I get any replies.

The burden...

It's my lot in life....

Quick question, am I the only one to take my phone out of my pocket and put it on the desk or on a stand? All my colleagues place their phones on their desks as well. Are we weird? At home I have a charging stand.

I work from home. I'm lucky if I can find my phone more than 65% of the time

lol, that makes more sense then.

I have a Google Home device that I can ask "where's my phone?" and my phone will start to ring. Very handy when I'm in a rush.

If MS Authenticator still works with totp urls just like any other authenticator then you can just use some open source authenticator. Some password managers even have one built it.

What is your concern about installing MS Authenticator.

I mean I can understand the principle of being forced to install anything on your phone.

But just stepping into the practical for a second: What do you worry will happen by installing this app to your phone?

200 MB of wasted personal disk space just so you can log in to a work account

Ok, but most workplaces require some form of apps installed for access, shared documents etc.

How many would install Figma, Office, Expensify, Jira, Confluence or a whole other raft of work apps if it wasn’t for work?

I mean, sure, it’s annoying but is MS Authenticator really the hill people want to die on?

Yeah but you install that stuff on your work computer. If my job requires me to use an authenticator on a non-work phone, then at least let me use the one I'm already using.

I'm not concerned per se and I definitely applaud the MFA requirement. I mean I hate MS and don't like apps I don't need, and I don't trust them, but as others pointed out this would mostly just be whiny. That's why I asked for reasons why restricting users to MS Authenticator would be preferable. If it's more secure or technically way easier and thus cheaper to maintain then fine, I'll find an acceptable way to comply. If not, then it's them who are whiny and I'd rather make the case to let us use whatever authenticator we already have installed.

But MS Authenticator isn’t a normal 6-digit Authenticator; it scans your Face ID (or finger print) and in many cases (like my work) it can be support password less accounts (relying only on something you have and something you are).

And in regard to your point that you don’t want to install apps you don’t need, it sounds like you do in fact need this app.

🤷‍♀️

Biometrics are only needed for passwordless login, not for TOTP.

reasons why restricting users to MS Authenticator would be preferable

As a security professional:

  1. Under most situations, it is equally as good as any other 2FA app.
  2. Within the Microsoft ecosystem, it provides additional security features above and beyond simple 2FA.

If your workplace is leaning heavily on the Microsoft ecosystem, especially their cloud offerings like Azure, then restricting employees to the Microsoft app is a no-brainer, and actually quite reasonable.

For example, if they happen to have a hybrid domain with an on-prem domain controller syncing with Azure (forgive me for using obsolete terms, I’m a greybeard), then they can control all access to all company assets, including 2FA. If an employee leaves the company, they can also disable the Microsoft app at a moment’s notice by disabling the employee’s Microsoft account. Because everything is hooked into Azure, it sends push notifications down to all company assets - like the Microsoft 2FA app - to unhook all of the company’s credentials and prevent employee access after the fact.

You cannot do this with other 2FA apps.

This is disingenuous though... You can simply reset the TOTP seed on any account to achieve the same operation. We use AuthLite on a local domain... I can disable an account domain-wide by simply resetting the TOTP seed or disabling the account. Using an Azure domain and MS app doesn't add any value in that regards. All of the online office stuff can be linked onto a local domain as well and would also be disabled.

You don't even need to disable an ex-employee's ability to generate TOTP codes... Once the account is disabled what use are the codes?

Well that's a bit of the point of my post... why are you making it out like disabling the 2fa app matters?

Edit: Swype typos!

I'm guessing they never mentioned that it tracks your location? That's why they insist on using it not any of the other bullshit.

It tracks your location.

Not really. It checks your location when you authenticate. It doesn’t store the location.

I don't care whether it stores the location. The problem is that it sends it to your employer. And so do all Microsoft apps. Teams for example makes full reports for managers to peruse about all kinds of information taken from each employee's device, including location and whether they were using the device and when.

AFAIK on Android it has a hard dependency on Google services. I don't mind installing proprietary stuff to my work profile for the express purposes of work but that requires modifying my system to accommodate this specific app and that's a step too far for my personal device. So I use a free software option (Aegis) instead.

edit: if for some reason I really did need MS Authenticator and not any old TOTP app, I would procure a googled device specifically for work rather than install google or microG into my personal device.

You can't just have microsoft text you a code? That's what I do

SMS is woefully insecure.

Wish I gave a shit. I don't own the company so fuck it

You might not own the company but do you like job hunting, the prospect of having the stigma of being the guy who caused a breach following you around, or screwing over your coworkers'. Noone is an island.

Lol what are you talking about ? Stigma ,screwing over coworkers ? Lol dude you need to relax and get out of your room, make friends and hangout with them. It looks like you have made work ,your friend. Take my advice yea, all 9-5s are just a number including you hence you have an employee number. Do your 9-5 and go home yea. Don't get too involved coz 9-5s are easily replaceable.

Weird seeming personal attack there. In case it is defensiveness from a perceived attack from myself, that's not what was intended. My intent was to point out the potential consequences of viewing it in such a seemingly myopic way.

  • Job hunting and stigma: If one's accounts are found to be the cause of a breach, and it is found to be due to negligence, there's a good chance of that resulting in a firing. Being fired due to security-related negligence is likely to make it a challenge to get past screening when hunting for a job (that's what I mean by stigma). And finally, job hunting fucking sucks, in my opinion.

  • Screwing over co-workers: You don't have to be friends to care about how your action or inaction impacts others. Being the cause of a breach has a real possibility of getting people laid off, if the scope is significant. Maybe less of a big deal if you're in most countries outside of the US but, here, the ramifications are pretty substantial. For example, I work with several people who are undergoing chemotherapy or who have spouses needing medical care. If laid off, health insurance evaporates and now they literally cannot afford the treatments necessary to live. Others have mortgages or rent to pay. Execs are not even going to entertain the idea of taking on the responsibility that is claimed to be the reason for their absurd pay.

Yes, it is healthy to set boundaries between your work life and personal life and to leave work at work. But, like I said, noone is an island, our actions in our work life can have profound impacts on others.

WoW! You actually need help. Its not an attack, i genuinely feel like there's something wrong with you and you should see a therapist so that you can understand , accept and acknowledge the issue.

Are you autistic by any chance ? I feel like you have made "work" the purpose of your life. Like without cybersecurity, there's no purpose in life.

I wish I could help you but I am no exoert. Please go see a therapist, please.

Are you autistic by any chance ? ... Please go see a therapist, please.

Actually, quite likely on the spectrum and diagnosed with ADHD (this is a major contributor to my verbosity, so apologies if it comes across as a big rant). I do have a therapist indeed and have found it very helpful - highly recommend it if you're in need. Not sure why this is relevant.

Maybe we're hitting a bit of an "impedence mismatch" here. I suspect, partly as you're coming through from an Aussie instance that it may be partly due to a lack of context on how fucked things are, labor-wise in the States. Healthcare here is tied to one's employment, intentionally. It is technically possible to get insurance through a public exchange but, practically speaking, it's not going to do much, especially if one has chronic or severe health problems. Also, we have very poor protections against firings and layoffs (most US labor contracts are pretty well one-sided).

Is work the purpose of my life? Fuck no. I have, however, been repeatedly screwed over, job-wise, by things outside of my control (Recession, offshoring, mergers, untreated ADHD). It is pretty awful, if you haven't yourself, I recommend giving the experience a pass. This has made me acutely aware of the impact that my actions can have on others, not just the immediate but also the secondary and tertiary impacts. I'm also the primary income for my household, so, that rather raises the stakes a bit.

Put these things together with the fact that I now have have coworkers who will literally die without medical care (insurance through work - so cancer patients have to have a job or a spouse with great coverage) and it should paint a good picture for someone with a healthy dose of empathy. Because of how labor is structured in the US, screwing up in a manner that has a big impact on the company means that I could be killing someone indirectly. Should that kind of thing be an employee's responsibility? No. But that's the reality of it. Actions have consequences within the system that one operates in, fair or not.

As for cybersecurity, somewhat fair. I'm not fixated on it but do definitely have a more significant interest than most. With the overall increase in cyberattacks on companies, states, and individuals, I'd recommend everyone being more security conscious.

If the company cared, they would provide MFA hardware like Yubikeys to their employees.

Oh, well they let us do it at work so idk

That's the solution I picked at work. Refused to install that Microsoft software on my personal phone, but instead provided a phone number.

If you have a VoIP provider you could even try to the VoIP number for MFA instead of providing your real mobile number.

If IT make a comment about you not having the app, ask if they intend to provide a company device for that.

I know Google has a way to "force" you to only use their app, and that's strictly enforced for personal MFAs (I haven't verified that recently), I didn't have that kind of trouble not using the MS one, but I'm not sure my org was as strict as yours on that "force MS" option.

When setting up the authentication when it asks you to set up Microsoft authenticator there should be a drop-down at the bottom of the page that says use another option that will allow you to use a phone call or text message as your chosen method of authentication.

This can be configured for the Microsoft tenant. The admin can allow all possible MFA vectors or restrict it to just a single one such as the Microsoft Authenticator. Microsoft themselves are also pushing the Authenticator, which is actually fine. I haven’t done any packet captures to see what it is sending back to Redmond, but the most secure method is great. The service you are logging into generates a two-digit number that you must enter when prompted in the Authenticator app.

Still, I’ve seen issues arise when an employee only has a flip phone or flat out refuses to install any app required for work on their personal devices. IT departments will typically fold to pressure and allow a call or text for MFA because they did not want to buy, configure, and send out phones to employees refused.

I’ve also seen IT send a company phone to a specific user that refused to allow Microsoft to have their phone number for calls or texts too. Legal told them they could not require the employee to use their personal property or reveal personal details to Microsoft in order to work.

^ This. We try to enforce Microsoft Authenticator company wide and we will never be able to completely ditch call/text as an option. We have a ton of users that don't have smart phones. We have a policy to only allow call/text if a user specifically requests it.

...it won't let me edit my other comment but I wanted to add that YES using MFA is demonstratively far more safe than any password you can set.

With a multi factor enabled you could literally give your password out and people could not access your account without being able to complete that second layer of security.

He said he wants to use mfa, but a normal generated token instead of the Microsoft one.

we have o365 and while i do have the authenticator, you should also be able to add a phone number or email address for text/email codes instead of the authenticator (i know my coworker doesn't have the authenticator but gets codes to her sms)

If you don't care about the money you get paid every fortnight then go ahead. Nobody cares! For employers , you are just a number and for you ,employer is the means to get paid.

If you don't need the money then fuck it.

You have the right not to use your personal hardware for work, and the employer must provide the necessary equipment to accomplish your job.

Ask if you could get a hardware token (ie: Yubikey Security Key) instead of using Microsoft Authenticator to fulfill the security requirements. It's low cost and doesn't require a subscription unlike a cellphone plan.

You have the right not to use your personal hardware for work, and the employer must provide the necessary equipment to accomplish your job.

Reputable Source?

Do like a friend of mine. He has a 15 dollar a month phone(mint mobile) that he uses for all his job related bullshit. Its all it does and he has no personal accounts on it at all. It kinda sucks that they insist on him using his own equipment for it but its the cheapest way to keep them out of his personal life.

Would you even need a monthly plan for this kind of thing? It just needs to be able to install the app and run it. If it needs internet you can connect to WiFi. You can get a sim free android for about £50 outright now.

You do if you want to provide that as your "work" number. Unless you're going to jump though VoIP hoops.

Surely your work landline number is your work number? The phone is just to run the authenticator service.

I guess if there is WiFi, he won't even need a mobile data plan, so he could safe lots of money.

I am in IT and I feel like I speak for the industry we don't care. Some of my customers have regulators who make arbitrary and capricious decisions with a minimal understanding of infosec but we have to keep the customer compliant.

I had to install MS Authenticator to get into my account, then I added a phone number. I then deleted Authenticator from my phone and from my 2FA settings.

Same problem here, my company requires 2FA for remote network access. MS Authenticator requires Google Services on Android which I don't have - so no home office for me I guess.

You might be able to 2FA via text or phone call. That's what I do. It's bad enough I have to BYOD for a laptop. I don't want MS BS on my personal phone as well

when you get the prompt at my work their is an option that says you don't have your phone on you and it leads to the old way of doing it.

During the enrollment you can tap on the option to use another method and have it send you a text code instead of using the app.

SMS is inherently insecure as a MFA, consider using aegis for your TOTP codes instead.

Not if the company has disabled sms for mfa as they should have.