So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
You can just use FreeOTP
My company has the same policy
During the enrollment you can tap on the option to use another method and have it send you a text code instead of using the app.
Not if the company has disabled sms for mfa as they should have.
SMS is inherently insecure as a MFA, consider using aegis for your TOTP codes instead.
Just ask whether they can provide a phone as well.
The whole point of MS Auth is that it tracks your location, so if you get a 2nd phone they still track you but you now carry around 2 phones.
You can use Aegis and/or Yubico Authenticator instead, that’s what I do.
Unless it turns out that only the supid MS one works on that specific company.
They said that the option to use other authenticators were disabled by their company
In my company at least, Aegis works for the first few logins, but it will keep nagging you have to switch to Microsoft’s authenticator and you’re locked out after a while.
How did know you’re not using the MS Authenticator? Does the MS app phone home what logins your using?
Apparently MS uses a “proprietary PhoneFactor 2FA solution” that Aegis doesn’t support.
Demand hardware tokens for authentication.
Or tell your IT department to think ahead and skip the part where we use personal devices to ensure the security of company devices and data. That will eventually change, and we’re going to look back on it the same way we look back on letting users receive work emails on any device with nothing but a password.
If you want security, use company devices. It’s really simple.
Do hardware tokens support Linux nowadays?
While it’s not technically safer, MS does make it a lot easier to set policy’s where you check a box for MSAuth.
Since the config is less complex and easier, it’s demonstratably safer to implement it this way.
This could indeed be a valid reasoning. I’m going to investigate a bit. If you can easily cough up some MS documentation page on this topic please do
Can you claim that you don’t have a smartphone? Then they’d either have to provide an alternative authentication method, or provide you with a phone.
I’ve been part of the Microsoft Bad crowd for well over 25 years now, but there are a few things that I will concede that MS has done well. Authenticator is one of them. I haven’t looked much into the privacy aspect of it, though.
Strong disagree with Microsoft Authenticator being well done - anything that is needlessly incompatible with competitors is bullshit. Either make your authenticator use the standard or fuck off.
Might be interpreting your comment wrong, but it is compatible with competitors. You don’t need to use Authenticator as your 2FA for a personal Microsoft account, and you can use Authenticator in place of any other TOTP app. It’s OP’s IT department that have chosen to disable the option to use other apps.
Push Authentication in the MS Authenticator is Microsoft’s proprietary thing. And I think that’s probably what we’re talking about here.
Not as well as Bitwarden.
I did this at my work and got a little dongle that displays a string of numbers I have to enter when prompted.
Except that the Authenticator is being forced in place of other, third party apps.
I don’t mind using my phone to authenticate. But now I’m not allowed to do it from Bitwarden. I must use their app.
Are you forced to use their app or are they just very instantly trying to trick you into using it? I.e., have you tried with Bitwarden or any other TOTP capable app?
I’m using a non-Google authenticator even though Google hit me with an “install Google Authenticator” dark pattern. Was kinda surprised it worked. Then I was miffed.
Don’t do that. Just say they will provide you with an authenticator paid for by them.
If it has Microsoft’s name on it, the privacy implications are horrendous. Guaranteed.
It’s odd that I prefer Microsoft to Google in terms of privacy at this point
My employer uses MS Authenticator but they haven’t disabled call or SMS 2FA, so I use SMS instead. The number I use is VOIP, so it’s not vulnerable to SIM card swapping attacks.
SMS auth is going away, it is not considered secure in the last few environments I have worked in
SMS auth is going away,
OP is looking for an alternative to MS Authenticator. If this works as an alternative temporarily, they may still consider it worth it.
[I]t is not considered secure in the last few environments I have worked in
Yes, SMS 2FA is usually not secure due being vulnerable to SIM card swapping attacks, that’s why I explicitly recommended using a VOIP number, which would not be vulnerable to SIM card swapping attacks.
You can say no, and if they won’t budge buy a cheap old phone off Swappa or craigslist or marketplace for $20 install Ms authenticstor on it and leave it at your desk.
What do you have against ms authenticator?
It’s proprietary closed source software, and if it’s mandated to run on your device, it could be collecting a lot of telemetry that is not in your best interest.
Why so negative? Maybe block posts about this.
The ms authenticator works in ‘reverse’ in that you type the code on the screen into the phone. I assume this is preferable to corporate as you can’t be social engineered into giving out a 2fa token. It also has a “no this wasn’t me” button to allow you to (I assume) notify IT if you are getting requests that are not you.
I don’t believe that the authenticator app gives them access to anything on your phone? (Happy to learn here) And I think android lets you make some kind of business partition if you feel the need to?
I mean the only real issue I see with this is that they require people to use their personal phones for this. Should not mix work and private data, and this should be in the interest of the corp, too. As in, issue work phones!
From a practical PoV - most people have their phone on them all the time. A work phone or a physical token can (and will) get forgotten, a personal phone much less.
Yeah but legally it’s a bit more iffy once something gets breached and then it turns out that no, private phones are not covered by the stuff you signed for work security (because they usually cannot be, rather most written stuff explicitly forbids people from using their private phones for stuff like this, even in company who expect workers to do it).
Hello, this is your IT department/Microsoft/the popes second mistress. We need you to test/revalidate/unfuckulate your Microsoft Authenticator by entering this code….
Yeah and that wouldn’t work, as they would not be able to generate a valid 2FA code.
Bad actor goes to super secret page while working on ‘fixing’ and issue for the user. They then get the 2 digit request code and ask the user to input it to ‘resolve’ the issue.
Mostly the same as any other 2fa social engineering attack I guess, but the users phone does display what the code is for on the screen which could help… But if your falling for it probably not.
Yeah but that’s a wholly different attack, and oodles more complex to pull off. Doable, sure. But it’s absolutely not the same thing as phishing for a valid 2FA code that is generated user-side.
And don’t get me wrong, both are overall very security. But there is a case to be made for push auth.
It’s not that different is it? You still need to get a user to share/enter a live code?
One requires the user to go to a bad page and get a spoofed 2FA code so the bad guy can log in.
Do you know how hard that is? Not worth it for 99% of hacks.
The other requires that the user read off their six digit code on their device.
Trivial easy since they already have the user’s password.
It requires the bad guy to go to the page and ask the user to enter the code the bad guy gets
If it is just TOTP, you can use any other TOTP app, such as Aegis or FreeOTP+.
And no, Microsoft cannot be trusted on not doing anything bad. The app is full of trackers and has an excessive list of permissions it “requires”.
For comparison, Aegis and FreeOTP+ work without trackers and way less permissions.
Microsoft has a long track record of leaks. Just naming the 2 most prominent:
And the authenticator is configurable and they can enforce some device security like not rooted, bootloader locked, storage encryption is on through the Intune work profile. If you work on a bank, you don’t want the 2FA to even live on a device where the user gives root access to random apps that could extract the keys (although at this point come on you can probably afford Yubikeys).
As a user, not a fan, but as an IT department it makes complete sense.
You’re thinking of Intune and the Company Portal app. That’s where the device enforcement comes into play. Authenticator can be installed on any system regardless of its state and their enforcement policies.
For now.
The point is, the patterns in software security are pretty clear. People will keep finding ways around the authenticator, eventually someone will get their account compromised, and at some point it will get more restrictive.
It doesn’t matter how it works now, because once it’s normalized that this Microsoft app must be on your phone so you can work, and it must operate exactly as it wishes to, Microsoft will be able to start pushing more restrictions.
At a certain point, the device simply has to be verified as secure in and of itself before it can keep another device secure. Meaning your phone will be brought under your workplace’s security policies.
What? No. This is complete hyperbole and speculation, and off at that too. Their Authenticator is used for personal accounts as well as managing 3rd party TOTP tokens. It’s no different than Google Authenticator, DUO Authenticator or Okta Authenticator. I could see that on a far end if they come out with a business only version, but given that everything is backed on their same platform it doesn’t behoove them to do that.
Not a good solution but a decent one. Create a work profile on your phone, using Shelter (Fdroid, open source), and put all your work apps on that. Your data and processes are isolated and you can turn off all your work apps with a single tap. It’s like a secondary virtual phone.
Don’t mix business and personal.
Don’t Install any corp app on a personal phone. No matter what.
Don’t mix business and personal
This method basically is creating two phone with one. Why wouldn’t this be a good solution with keeping business and personal separate?
If information is ever subject of a subpoena, your phone could be seized as evidence… OS separation doesn’t matter. Just like you wouldn’t check corporate email or keep corp documents on your personal laptop…because your laptop could be seized for any corp legal action
Yeah that is a fair point.
I have never been involved in anything like that, so I don’t know how big of a risk that actually is for most people.
And I would think as we get more and more cloud dependent any data on the phone would also be stored in company servers. So I am not sure the value a subpoenas for phones would be.
If it gets that far I would wonder if there could be a case for them of taking both personal and work phones as well just to be sure no one was talking outside of the company’s standards communications.
Again I Have no idea how legally that would all go down, but I do think you being up a very good point the more speration you have between personal and work the less grounds legal action has to stand on to enter into your personal devices.
Wow thanks friend! Does the 2FA work in this silo?
As long as the work profile is on.
Thanks! I just installed it.
Just like anywhere else. All it does is sandbox work apps from personal apps so they don’t talk to eachother (not even screenshots!)
This is awesome!
Can confirm it works. I have been doing it like this for the past 2 years.
If they want you to use a specific application they need to provide you with everything that is needed for you to run said application.
No company has any right to force people to use their private phones for company purposes. I’d absolutely refuse to let them install anything whatsoever on my phone. If they want me to use a phone for work, they’ll have to give me one.
Many work places require employees to bring their own tools (eg auto mechanic). Requiring a phone or tablet is probably legal.
In the US
I think if that’s the case, I’d get an inexpensive phone with a prepaid plan… and make it clear that it gets turned off if not on call or otherwise pre-arranged.
Or leave it in the office, always on charge, and with no lock screen so anyone can take the phone and accept a request
That sounds like a terrible security practice but at least it only puts your company at risk
That’s the point. Malicious compliance.
That sounds like a terrible security practice but at least it only puts your company at risk
You should get your lemmy checked for dementia
I think my instance is having an issue
The app will enforce a lock screen.
That sounds like a terrible security practice but at least it only puts your company at risk
That sounds like a terrible security practice but at least it only puts your company at risk
This is what it’s heading to eventually. This “authentication using a personal device that the IT department can’t control” crap will eventually evolve into “they must control the device”. Which means they just need to quit being cheap and buy devices they can manage for this purpose.
No company has any right to force people to use their private phones for company purposes.
Got a reputable source on that one that’s valid for all 50 states?
“Diplomjodler” sounds German so probably different laws apply…
In my case they didn’t disable the option to use any authenticator for 2FA.
So I just use another one.
I don’t see why forcing MS Authenticator will be better than any other authenticator.
The person who forces it is for sure not a security expert.
It will be easier to hackers to hack 2FA when they know what the authenticator app is, versus hundreds of different authenticator clients.
It will be easier to hackers to hack 2FA when they know what the authenticator app is, versus hundreds of different authenticator clients.
Security through obscurity is not security.
Additionally, any method that generates a code locally that needs to match the server will not be secure if you can extract the key used locally. Yes you can argue that more users makes a juicier target, but I’d argue that Microsoft has the resources spend reducing the chance of an exploit and the resources to fix it fairly quickly. Much more so than any brand new team.
The default authentication option for the company I work for is that a code is displayed in the screen of the device I’m logging into AND a push notification is sent to the Authenticator app, the app then prompts me to enter the code from authenticating device. To break that you’d need the username, password, a clone of the phone/device used to authenticate (or the original), and the user’s PIN for that device (MS Authenticator requires this to complete the authentication.)
Yes MS Authentication services do sometimes go down, and yea it can impact my ability to work
I am by no means a MS fanatic, but I’d trust them for mission critical authentication over something like Authy.
I’m also not a fan of MS spyware.
But in defence of the MS authenticator, the 2FA prompts it sends are very convenient, how they pop up and ask for the number displayed on screen, its definitely more secure than just the one time code.
Plus it also shows what phone the user is using when they install and configure the authenticator app, this is also very useful if you suddenly see the user accessing their mail or one drive from another mobile device.
MS authenticator has a bunch of security features that make it better.
From a technical standpoint, it’s possible to bring those same features to independent software implementations, but nothing of the sort has been implemented yet. Best we have is cross device passkeys.
TOTP has serious flaws if you need strict security (easily phished, for instance) so a company can have good reasons for not trusting it. However, they can fuck off if they want to try to force that shit onto my personal device.
How would MS Authenticator make it any better than TOTP?
To break TOTP, the attacker would need to:
a) be able to observe the initial exchange of the TOTP secrets. To do that, the attacker needs access to the victim’s computer (on user level) at that specific time they set up TOTP. TOTP is a TOFU concept and thus not designed to protect against that. However, if the attacker controls the victim’s computer at that time, the victim is screwed anyways even before setting up 2FA.
b) have access to the TOTP app’s secret storage and to the victim’s login credentials (e.g. by phishing). If the attacker can gain that level of access, they would also have access to the Microsoft Authenticator’s secret storage, so there is no benefit of the Microsoft app.
On the other hand, Microsoft Authenticator is a very huge app (>100MB is huge for an authenticator app, Aegis is just 6MB, FreeOTP+ 11MB), i.e. it brings a large attack surface, especially by connecting to the internet.
I don’t think Microsoft Authenticator brings security benefits over a clean and simple TOTP implementation.
To break TOTP, the attacker would need to have the victim open up a phishing page. If someone enters their password at fakegoogle.com, they’ll also enter their TOTP tokens. TOTP only protects against your password leaking.
Microsoft Authenticator has a bunch of security checks, like checking if your device is in the same physical vicinity.
The current iteration of the app is moving to leveraging passkeys, something not just Microsoft can do. For businesses, there are still good reasons to use MS authenticator passkeys (control over policies like requiring passkey devices with certain security updates), but in practice I find a lot of 2FA passkey implementations sorely lacking at the moment. Scanning a QR code on your phone is annoying, even if it is phishing resistant.
Thanks people, some good replies here. I could demand a work phone, but that’s impractical, dragging around two phones etc. I’d like all my 2FA in Aegis and not have to think and pick the right app first, let alone pick and unlock the right phone. The Shelter option is very nice, didn’t know about that. If my company won’t budge I’m doing that. When push comes to shove I could even use outlook that way on my phone.
It’s worth adding I greatly prefer MS Auth style authentication, since I don’t have to find the right entry to read the Auth code and then write it on the other computer. Instead MS pops a notification and you either type or select the right number, verify with fingerprint and done. Much more convenient.
It often tells you what you login into and where you are attempt to log in from, so it’s a few extra layers of security for those that have that awareness to check those details.
