So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
When setting up the authentication when it asks you to set up Microsoft authenticator there should be a drop-down at the bottom of the page that says use another option that will allow you to use a phone call or text message as your chosen method of authentication.
This can be configured for the Microsoft tenant. The admin can allow all possible MFA vectors or restrict it to just a single one such as the Microsoft Authenticator. Microsoft themselves are also pushing the Authenticator, which is actually fine. I haven’t done any packet captures to see what it is sending back to Redmond, but the most secure method is great. The service you are logging into generates a two-digit number that you must enter when prompted in the Authenticator app.
Still, I’ve seen issues arise when an employee only has a flip phone or flat out refuses to install any app required for work on their personal devices. IT departments will typically fold to pressure and allow a call or text for MFA because they did not want to buy, configure, and send out phones to employees refused.
I’ve also seen IT send a company phone to a specific user that refused to allow Microsoft to have their phone number for calls or texts too. Legal told them they could not require the employee to use their personal property or reveal personal details to Microsoft in order to work.
You’re wasting your life trying to fight battles you don’t even understand.
Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
Thanks for the input?
There’s no “battle” here. It’s their phone, end of discussion. They don’t need to justify to you or anyone what they do and do not want on it.
What you don’t understand is that a worker does not need your permission or approval to exercise their right to control their personal property, and that right far exceeds any concerns about how easy the IT admin’s job is.
Maintain a veil of separation between personal and business. Just say you can’t install it.
They must then provide you with needed hardware.
Just say you don’t have a smartphone…you have a flip phone…doesn’t matter.
And don’t fall for the argument that companies require ties also, they can require cell phones… Not at all same thing.
Just say you don’t have a smartphone…you have a flip phone…
Recently looked into this, pretty much 100% of currently-available flip phones are still smartphones under the hood, running either Android or KaiOS. And you can still install apps on these phones.
The only truly “dumb phone” appears to be the Rotary Un-Phone, or a vintage feature phone from the early 2000s that boots straight from ROM - instant-on, no visible boot process whatsoever.
…it won’t let me edit my other comment but I wanted to add that YES using MFA is demonstratively far more safe than any password you can set.
With a multi factor enabled you could literally give your password out and people could not access your account without being able to complete that second layer of security.
He said he wants to use mfa, but a normal generated token instead of the Microsoft one.
What is your concern about installing MS Authenticator.
I mean I can understand the principle of being forced to install anything on your phone.
But just stepping into the practical for a second: What do you worry will happen by installing this app to your phone?
200 MB of wasted personal disk space just so you can log in to a work account
Ok, but most workplaces require some form of apps installed for access, shared documents etc.
How many would install Figma, Office, Expensify, Jira, Confluence or a whole other raft of work apps if it wasn’t for work?
I mean, sure, it’s annoying but is MS Authenticator really the hill people want to die on?
Yeah but you install that stuff on your work computer. If my job requires me to use an authenticator on a non-work phone, then at least let me use the one I’m already using.
AFAIK on Android it has a hard dependency on Google services. I don’t mind installing proprietary stuff to my work profile for the express purposes of work but that requires modifying my system to accommodate this specific app and that’s a step too far for my personal device. So I use a free software option (Aegis) instead.
edit: if for some reason I really did need MS Authenticator and not any old TOTP app, I would procure a googled device specifically for work rather than install google or microG into my personal device.
I’m not concerned per se and I definitely applaud the MFA requirement. I mean I hate MS and don’t like apps I don’t need, and I don’t trust them, but as others pointed out this would mostly just be whiny. That’s why I asked for reasons why restricting users to MS Authenticator would be preferable. If it’s more secure or technically way easier and thus cheaper to maintain then fine, I’ll find an acceptable way to comply. If not, then it’s them who are whiny and I’d rather make the case to let us use whatever authenticator we already have installed.
But MS Authenticator isn’t a normal 6-digit Authenticator; it scans your Face ID (or finger print) and in many cases (like my work) it can be support password less accounts (relying only on something you have and something you are).
And in regard to your point that you don’t want to install apps you don’t need, it sounds like you do in fact need this app.
🤷♀️
I’m guessing they never mentioned that it tracks your location? That’s why they insist on using it not any of the other bullshit.
reasons why restricting users to MS Authenticator would be preferable
As a security professional:
- Under most situations, it is equally as good as any other 2FA app.
- Within the Microsoft ecosystem, it provides additional security features above and beyond simple 2FA.
If your workplace is leaning heavily on the Microsoft ecosystem, especially their cloud offerings like Azure, then restricting employees to the Microsoft app is a no-brainer, and actually quite reasonable.
For example, if they happen to have a hybrid domain with an on-prem domain controller syncing with Azure (forgive me for using obsolete terms, I’m a greybeard), then they can control all access to all company assets, including 2FA. If an employee leaves the company, they can also disable the Microsoft app at a moment’s notice by disabling the employee’s Microsoft account. Because everything is hooked into Azure, it sends push notifications down to all company assets - like the Microsoft 2FA app - to unhook all of the company’s credentials and prevent employee access after the fact.
You cannot do this with other 2FA apps.
This is disingenuous though… You can simply reset the TOTP seed on any account to achieve the same operation. We use AuthLite on a local domain… I can disable an account domain-wide by simply resetting the TOTP seed or disabling the account. Using an Azure domain and MS app doesn’t add any value in that regards. All of the online office stuff can be linked onto a local domain as well and would also be disabled.
You don’t even need to disable an ex-employee’s ability to generate TOTP codes… Once the account is disabled what use are the codes?
It tracks your location.
Not really. It checks your location when you authenticate. It doesn’t store the location.
During the enrollment you can tap on the option to use another method and have it send you a text code instead of using the app.
SMS is inherently insecure as a MFA, consider using aegis for your TOTP codes instead.
Not if the company has disabled sms for mfa as they should have.
I am in IT and I feel like I speak for the industry we don’t care. Some of my customers have regulators who make arbitrary and capricious decisions with a minimal understanding of infosec but we have to keep the customer compliant.
For 2FA? You can use any 2FA just make backups
The post says that the admins disabled the use of all others.
Grab the shelter app from f Droid, add the Play store in shelter, move over to the work side Play store and install the authenticator.
Pause your work apps except for when you need to use the authenticator.
Prosper???
If you don’t care about the money you get paid every fortnight then go ahead. Nobody cares! For employers , you are just a number and for you ,employer is the means to get paid.
If you don’t need the money then fuck it.
Get a used /cheap phone or tablet, only turn it on or enable wifi when you need the app. Don’t use it for anything else. I think that covers all the bases.
we have o365 and while i do have the authenticator, you should also be able to add a phone number or email address for text/email codes instead of the authenticator (i know my coworker doesn’t have the authenticator but gets codes to her sms)
At what point can you tax deduct your phone as a business expense?
Demand hardware tokens for authentication.
Do hardware tokens support Linux nowadays?
Or tell your IT department to think ahead and skip the part where we use personal devices to ensure the security of company devices and data. That will eventually change, and we’re going to look back on it the same way we look back on letting users receive work emails on any device with nothing but a password.
If you want security, use company devices. It’s really simple.
No company has any right to force people to use their private phones for company purposes. I’d absolutely refuse to let them install anything whatsoever on my phone. If they want me to use a phone for work, they’ll have to give me one.
No company has any right to force people to use their private phones for company purposes.
Got a reputable source on that one that’s valid for all 50 states?
“Diplomjodler” sounds German so probably different laws apply…
Many work places require employees to bring their own tools (eg auto mechanic). Requiring a phone or tablet is probably legal.
In the US
I think if that’s the case, I’d get an inexpensive phone with a prepaid plan… and make it clear that it gets turned off if not on call or otherwise pre-arranged.
Or leave it in the office, always on charge, and with no lock screen so anyone can take the phone and accept a request
That sounds like a terrible security practice but at least it only puts your company at risk
That sounds like a terrible security practice but at least it only puts your company at risk
You should get your lemmy checked for dementia
I think my instance is having an issue
The app will enforce a lock screen.
That sounds like a terrible security practice but at least it only puts your company at risk
That sounds like a terrible security practice but at least it only puts your company at risk
That’s the point. Malicious compliance.
This is what it’s heading to eventually. This “authentication using a personal device that the IT department can’t control” crap will eventually evolve into “they must control the device”. Which means they just need to quit being cheap and buy devices they can manage for this purpose.