So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
And here I am wishing they would come out with an authenticator watch app, so I didn’t have to do all the work of taking my phone out of my pocket and swiping a few times.
It used to exist, and it was glorious!
What’s needed is an online 2fa service that just takes a username and copies the code to the clipboard.
/s before I get any replies.
It’s my lot in life…
I work from home. I’m lucky if I can find my phone more than 65% of the time
Oh I can do this (and do) with my iPhone, but I hate to have to have to, it feels like giving up lol
Authentication methods in Entra ID (which is presumably what we are talking about as the identity provider) include Microsoft Authenticator and software otp.
Authenticator is push authentication, as described elsewhere here. If for some reason you’re not getting push notifications, you can use an OTP code instead, but this still requires that you have push authentication configured in Microsoft Authenticator.
You can only use Software OTP in other applications if your administrator has explicitly allowed use of Software OTP as an authentication method, and also excluded you from being required to use Authenticatior - otherwise Authenticatior would always ‘win’ as choice of mechanisms because it is more secure.
Several states in the USA require that employees who are made to use their personal phone for business purposes be compensated. The enforcement method and process for requesting same is naturally very obscure.
when you get the prompt at my work their is an option that says you don’t have your phone on you and it leads to the old way of doing it.
If you’re in the US, that could very well get you fired in any “at will employment” state. It’s shitty, fucked up, and should be illegal, but the legislators seem to represent wealthy corporations way more than they represent their human constituents (GOP especially).
You can’t just have microsoft text you a code? That’s what I do
That’s the solution I picked at work. Refused to install that Microsoft software on my personal phone, but instead provided a phone number.
If you have a VoIP provider you could even try to the VoIP number for MFA instead of providing your real mobile number.
If IT make a comment about you not having the app, ask if they intend to provide a company device for that.
SMS is woefully insecure.
You might not own the company but do you like job hunting, the prospect of having the stigma of being the guy who caused a breach following you around, or screwing over your coworkers’. Noone is an island.
Lol what are you talking about ? Stigma ,screwing over coworkers ? Lol dude you need to relax and get out of your room, make friends and hangout with them. It looks like you have made work ,your friend. Take my advice yea, all 9-5s are just a number including you hence you have an employee number. Do your 9-5 and go home yea. Don’t get too involved coz 9-5s are easily replaceable.
Weird seeming personal attack there. In case it is defensiveness from a perceived attack from myself, that’s not what was intended. My intent was to point out the potential consequences of viewing it in such a seemingly myopic way.
-
Job hunting and stigma: If one’s accounts are found to be the cause of a breach, and it is found to be due to negligence, there’s a good chance of that resulting in a firing. Being fired due to security-related negligence is likely to make it a challenge to get past screening when hunting for a job (that’s what I mean by stigma). And finally, job hunting fucking sucks, in my opinion.
-
Screwing over co-workers: You don’t have to be friends to care about how your action or inaction impacts others. Being the cause of a breach has a real possibility of getting people laid off, if the scope is significant. Maybe less of a big deal if you’re in most countries outside of the US but, here, the ramifications are pretty substantial. For example, I work with several people who are undergoing chemotherapy or who have spouses needing medical care. If laid off, health insurance evaporates and now they literally cannot afford the treatments necessary to live. Others have mortgages or rent to pay. Execs are not even going to entertain the idea of taking on the responsibility that is claimed to be the reason for their absurd pay.
Yes, it is healthy to set boundaries between your work life and personal life and to leave work at work. But, like I said, noone is an island, our actions in our work life can have profound impacts on others.
WoW! You actually need help. Its not an attack, i genuinely feel like there’s something wrong with you and you should see a therapist so that you can understand , accept and acknowledge the issue.
Are you autistic by any chance ? I feel like you have made “work” the purpose of your life. Like without cybersecurity, there’s no purpose in life.
I wish I could help you but I am no exoert. Please go see a therapist, please.
Are you autistic by any chance ? … Please go see a therapist, please.
Actually, quite likely on the spectrum and diagnosed with ADHD (this is a major contributor to my verbosity, so apologies if it comes across as a big rant). I do have a therapist indeed and have found it very helpful - highly recommend it if you’re in need. Not sure why this is relevant.
Maybe we’re hitting a bit of an “impedence mismatch” here. I suspect, partly as you’re coming through from an Aussie instance that it may be partly due to a lack of context on how fucked things are, labor-wise in the States. Healthcare here is tied to one’s employment, intentionally. It is technically possible to get insurance through a public exchange but, practically speaking, it’s not going to do much, especially if one has chronic or severe health problems. Also, we have very poor protections against firings and layoffs (most US labor contracts are pretty well one-sided).
Is work the purpose of my life? Fuck no. I have, however, been repeatedly screwed over, job-wise, by things outside of my control (Recession, offshoring, mergers, untreated ADHD). It is pretty awful, if you haven’t yourself, I recommend giving the experience a pass. This has made me acutely aware of the impact that my actions can have on others, not just the immediate but also the secondary and tertiary impacts. I’m also the primary income for my household, so, that rather raises the stakes a bit.
Put these things together with the fact that I now have have coworkers who will literally die without medical care (insurance through work - so cancer patients have to have a job or a spouse with great coverage) and it should paint a good picture for someone with a healthy dose of empathy. Because of how labor is structured in the US, screwing up in a manner that has a big impact on the company means that I could be killing someone indirectly. Should that kind of thing be an employee’s responsibility? No. But that’s the reality of it. Actions have consequences within the system that one operates in, fair or not.
As for cybersecurity, somewhat fair. I’m not fixated on it but do definitely have a more significant interest than most. With the overall increase in cyberattacks on companies, states, and individuals, I’d recommend everyone being more security conscious.
-
If the company cared, they would provide MFA hardware like Yubikeys to their employees.
True. App-based is a bit more secure than SMS but nothing beats hardware.
Oh, well they let us do it at work so idk
Is your company mandating Push Authentication or are you entering 6-digit codes?
If it’s the former, MS Authenticator is the only option.
If it’s the latter, you can use any TOTP app you like, e.g. Aegis.
Afaik, Microsoft’s OTP implementation is proprietary and not TOTP.
But also, my understanding is you can select which MFA schemes you can use, and allow SMS, MS MFA, and TOTP.
Source: employer used to allow sms, locked it down, and totp apps can’t parse the MS authenticator QR codes.
Im using aegis as totp with microsoft at my company right now
Not true. Work at an MSP that has hundreds of Microsoft accounts in our password managers with TOTP. We even migrated password managers and had no issues with TOTP.
That said, we are moving away from shared admin accounts and we will have delegated access enabled with JIT for better security soon.
Ok. Did a quick read. And I think I mixed my words a little.
Yes, Active Directory supports TOTP fine.
But my understanding is rollouts can disable TOTP, and instead force the use of the proprietary scheme requiring the MS Authenticator app (which also supports TOTP) that uses push notifications to the device.
As is the case with my employer. They didn’t enable TOTP, and I am unable to use the provided MFA QR code with 1Password.
When you start the MFA registration process for a Microsoft account and select the Authenticator as the method there is a link at the bottom of the page about using a different app. Sure it will only generate a rotating code instead of the “easier” method of just entering a 2 digit number when prompted on the phone, but entering 6 numbers isn’t that much more difficult than 2.
Yes, this link has been disabled as per (dumb) organisation policy.
It might depend on configuration. In the only case of Microsoft enforced 2FA I know of, it is just TOTP. Microsoft’s web interface nudges (tries to trick) you into using the MS Authenticator app, but that app is not needed. You can use any TOTP capable 2FA app, e.g. Aegis or FreeOTP+, both of which are also available through F-Droid and don’t require internet connection.
We let anyone use any authentication app. The Microsoft one is the best one. I’m pushing to make us exclusive because I’m sick of the IT support guys trying to support a dozen apps. You don’t have to use your Microsoft account provided to use the app or back up your credentials.
I’m pushing to make us exclusive because I’m sick of the IT support guys trying to support a dozen apps.
While I understand this… Why not just refuse to support and NOT remove the capability for all those who don’t need support and work just fine with their own? It’s not like TOTP isn’t a solved problem at this point.
Eg. “we only support MS auth, If you choose to use your own you will not receive any company support.”
Because that shit only works in fantasy land. If you can use it, employees WILL expect support and will repeatedly raise hell if they don’t get it. Is a losing battle.
Because that shit only works in fantasy land.
Glad to know my company, and the companies I contract for are fantasy land then.
employees WILL expect support
And they will get it if they use the company default options.
Nothing about this is losing. I’m CIO for 3 separate companies (2 by contract). None of them have issues with this type of policy. We do bare minimum to not limit the toolset they can use and support a specific set of tools that we like the best. That’s it. Those who are smart enough to use their own tools clearly know enough about IT to make good decisions that we can trust. The rest use the default tools… and we support those tools explicitly.
More importantly, we’re not shitting on those who ARE making good decisions overall, but just have a preference. That makes the employees feel heard and keeps them happy. Keeping them happier keeps everyone more productive.
The option to use TOTP is already well hidden. It’s not like someone who does not know what he is looking for and uses an Authenticator already will accidentally select it.
As a security enthusiast, please also push for allowing physical security keys. They are awesome.
Upvote for providing an explanation, though I personally favour employee freedom.
Is Microsoft Authenticator available on Linux?
It’s on Android, but
I meant more generally
Ms auth is a mobile only application. Not even available on windows or macOS. The point of it is to provide a second factor of authentication in the for of “something you have”. There are a few factors that can be used for authentication. Something you know (password), something you have (hardware like a key or a phone), and something you are (iris scan, DNA, fingerprint, other biometric). Ms auth uses something you have and something you are to authenticate most users. You provide a password and then you prove you have your cellphone and your cellphone checks your biometrics to see if you are you. In that way, it is effectively checking all 3 factors.
Why couldn’t “laptop” be a second factor?
It is using windows hello on compatible machines and through persistent tokens on Mac and Windows machines not compatible with hello. You have to create that token with a known factor such as a mobile device but outside of that, users almost never have to sign in with persistent tokens.
≥ and force Microsoft Authenticator on the (private) phones of both employees and volunteers.
Refuse to use the service until they provide you with a work appointed phone. Volunteers admitedly have a more difficult time with that but as someone else said you can indeed do text/call options.
a work appointed phone
With all the tracking that comes with it.
Not much of a privacy risk if it where used for a dedicated purpose and just left off in a drawer otherwise though. My employers pushed the notion of MS authenticator, but left the options to use regular TOTP available, just had to look a bit to find them. Even if they absolutely forced corp software though, a cheap wifi-only setup device is a viable option.
Agreed. From a privacy perspective, it is a lot safer to run the app in an environment where you have admin control. E.g. disable when not in use, block access to sensitive device information, limit background and network activity as much as possible.
Who cares? It’s a work phone that is used only for work, they are entitled and expected to track it as much as my work laptop or any other company equipment. That’s not a privacy issue unless you’re using company resources for personal stuff. If I don’t want them tracking me I just turn it off or leave it at home.
They might expect you to be available via the phone 24/7 and carry such sensor packed device anywhere.
I’ll be available 24/7 when they pay me 24/7.
This is the way.
And my point was that a separate corporate device makes it trivial to manage my privacy and availability. Using my personal phone for work is a hard NO.
Your point is illogical.
You stated
they are entitled and expected to track it
Just to turn around and back-peddle
If I don’t want them tracking me I just turn it off
Are they entitled to it or not? If they’re entitled, then why do you have a right to cut it off? I’d argue they have no right to it to track me off hours at all… regardless of the device used. u2f tokens like yubikey would be just as sufficient for 2fa with none of the tracking.
The point is that the phone will be tracking 24/7 regardless of your actual availability.
A faraday cage on your work desk can take care of that during off hours, especially since most batteries have become non-removable and phones don’t truly shut down anymore. Just put your work phone into the cage when your shift ends, take it back out when your next shift starts. Easy peasy!
And if they demand 24/7 access, they will need to provide 24/7 pay.
Not sure I understand what the faraday cage would accomplish. It’s the companies device. You’d be skipping this presumption outlined earlier in the thread
they are entitled and expected to track it as much as my work laptop or any other company equipment.
Leaving the work phone at work is a valid answer to me. Assuming that doesn’t actually come with any other downsides (working offsite and having to return to the office on unpaid time just to drop off the phone for example).
yes? use it solely for work purposes, at work, turn it off when you clock out…
your employer is not your friend.
I work for a global company and help manage MFA for everyone…I use Google’s authenticator on my personal phone as they didn’t give me a work phone.
I still don’t understand why a hardware token isn’t being used. It’s such a low cost option when compared to buying a phone and plan for a user.
Because you can’t call someone on a hardware token.
But not everyone needs to have a work phone, some just need to authenticate
Then buy them an iPod touch.
you should really use FreeOTP+ instead. https://f-droid.org/en/packages/org.liberty.android.freeotpplus/
deleted by creator
I put the stupid app on my phone.
Never use your own personal phone for work related stuff.
If they want you to use a phone-based app, ask them to help you install it, then bring in an early-2000s feature phone that boots straight from ROM, no Android or KaiOS under the hood.
As in, force the company to get you a company phone.
deleted by creator
deleted by creator
deleted by creator
What am I going to do, quit over using an app?
Why quit?
Ask them for help installing the app.
Then bring in an early-2000s flip phone with your SIM already in it, so you can prove that you are using it.
An employer cannot demand that you buy your own work tools unless it is written into the employment contract (auto mechanics, etc.). Provide them with a phone that they themselves cannot install the app on. Any early-2000s feature phone will not have an operating system with app functionality. An older but still smartphone-like BlackBerry running BBOS10 will also work in this regard, especially if you have uninstalled the Amazon App Store.
Even an Android phone whose newest possible version of Android pre-dates the oldest version that this app will install on can also work. For example, any Android phone which cannot be upgraded past Android 7 would be perfect with respect to MS Authenticator, as the current version will only install on Android 8 or newer. If you bring in a phone that has no ability to have Android 8 or later installed, your place of work will either have to exempt you or provide you with a work phone for that app.
You have solutions to keep work apps off of your personal devices, and few employers will have the legal ability to force you to buy a modern phone just for an app of their choosing. Moreover, it is your right to not have to suffer unreasonable employer demands just to have a job. That’s why worker protections exist in places where conservatives haven’t eviscerated those protections.
Act like you are a smartphone-phobe, and let them figure things out.
deleted by creator
You do what you think you need to do, buuuuuut…
I’m in a senior level engineering position.
You are already exceedingly difficult to trivially replace. It’s entry-level devs which are a dime a dozen. Senior level engineering positions are frequently open for many months because candidates in general are difficult to find, much less good candidates.
Colour me biased, but I strongly think you are significantly underselling your own power and influence. Any company worth working for isn’t going to turf a senior engineer over a $40 stipend unless their middle manglement positions are staffed with morons.
Well, it’s your calculus to make, not mine.
deleted by creator
Never use your own personal phone for work related stuff.
As someone who does this, my main issue is now I am carrying around two phones. This is a daily annoyance for me.
My next round I think I am going to drop the work phone and use Androids profile options. Setup a work profile on my personal phone and just use that. Then just have work reimburse me for my personal phone/plan.
Lots of great conversation here, I also work somewhere where this is required. If I didn’t need my phone for access to chat, I just wouldn’t use it for work. Alternatively, my phone has a work profile so I use that for any work related or non-FOSS apps. My IT guy even approved of my methods and said do the minimum and never more with tech.
Just ask whether they can provide a phone as well.
You can just use FreeOTP
My company has the same policy
For 2FA? You can use any 2FA just make backups
The post says that the admins disabled the use of all others.
What is your concern about installing MS Authenticator.
I mean I can understand the principle of being forced to install anything on your phone.
But just stepping into the practical for a second: What do you worry will happen by installing this app to your phone?
Not really. It checks your location when you authenticate. It doesn’t store the location.
I don’t care whether it stores the location. The problem is that it sends it to your employer. And so do all Microsoft apps. Teams for example makes full reports for managers to peruse about all kinds of information taken from each employee’s device, including location and whether they were using the device and when.
200 MB of wasted personal disk space just so you can log in to a work account
Ok, but most workplaces require some form of apps installed for access, shared documents etc.
How many would install Figma, Office, Expensify, Jira, Confluence or a whole other raft of work apps if it wasn’t for work?
I mean, sure, it’s annoying but is MS Authenticator really the hill people want to die on?
Yeah but you install that stuff on your work computer. If my job requires me to use an authenticator on a non-work phone, then at least let me use the one I’m already using.
I’m not concerned per se and I definitely applaud the MFA requirement. I mean I hate MS and don’t like apps I don’t need, and I don’t trust them, but as others pointed out this would mostly just be whiny. That’s why I asked for reasons why restricting users to MS Authenticator would be preferable. If it’s more secure or technically way easier and thus cheaper to maintain then fine, I’ll find an acceptable way to comply. If not, then it’s them who are whiny and I’d rather make the case to let us use whatever authenticator we already have installed.
reasons why restricting users to MS Authenticator would be preferable
As a security professional:
- Under most situations, it is equally as good as any other 2FA app.
- Within the Microsoft ecosystem, it provides additional security features above and beyond simple 2FA.
If your workplace is leaning heavily on the Microsoft ecosystem, especially their cloud offerings like Azure, then restricting employees to the Microsoft app is a no-brainer, and actually quite reasonable.
For example, if they happen to have a hybrid domain with an on-prem domain controller syncing with Azure (forgive me for using obsolete terms, I’m a greybeard), then they can control all access to all company assets, including 2FA. If an employee leaves the company, they can also disable the Microsoft app at a moment’s notice by disabling the employee’s Microsoft account. Because everything is hooked into Azure, it sends push notifications down to all company assets - like the Microsoft 2FA app - to unhook all of the company’s credentials and prevent employee access after the fact.
You cannot do this with other 2FA apps.
This is disingenuous though… You can simply reset the TOTP seed on any account to achieve the same operation. We use AuthLite on a local domain… I can disable an account domain-wide by simply resetting the TOTP seed or disabling the account. Using an Azure domain and MS app doesn’t add any value in that regards. All of the online office stuff can be linked onto a local domain as well and would also be disabled.
But MS Authenticator isn’t a normal 6-digit Authenticator; it scans your Face ID (or finger print) and in many cases (like my work) it can be support password less accounts (relying only on something you have and something you are).
And in regard to your point that you don’t want to install apps you don’t need, it sounds like you do in fact need this app.
🤷♀️
AFAIK on Android it has a hard dependency on Google services. I don’t mind installing proprietary stuff to my work profile for the express purposes of work but that requires modifying my system to accommodate this specific app and that’s a step too far for my personal device. So I use a free software option (Aegis) instead.
edit: if for some reason I really did need MS Authenticator and not any old TOTP app, I would procure a googled device specifically for work rather than install google or microG into my personal device.
Do like a friend of mine. He has a 15 dollar a month phone(mint mobile) that he uses for all his job related bullshit. Its all it does and he has no personal accounts on it at all. It kinda sucks that they insist on him using his own equipment for it but its the cheapest way to keep them out of his personal life.
I guess if there is WiFi, he won’t even need a mobile data plan, so he could safe lots of money.
Would you even need a monthly plan for this kind of thing? It just needs to be able to install the app and run it. If it needs internet you can connect to WiFi. You can get a sim free android for about £50 outright now.
Surely your work landline number is your work number? The phone is just to run the authenticator service.
If you don’t have a desk phone (or desk) then you’d have a company supplied mobile if they expected you to take business calls. No?
