So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
I work in cybersecurity for a large company, which also uses the MS Authenticator app on personal phones (I have it on mine). I do get the whole “Microsoft bad” knee-jerk reaction. I’m typing this from my personal system, running Arch Linux after accepting the difficulties of gaming on Linux because I sure as fuck don’t want to deal with Microsoft’s crap in Windows 11. That said, I think you’re picking the wrong hill to die on here.
In this day and age, Two Factor Authentication (2FA) is part of Security 101. So, you’re going to be asked to do something to have 2FA working on your account. And oddly enough, one of the reasons that the company is asking you to install it on your own phone is that many people really hate fiddling with multiple phones (that’s the real alternative). There was a time, not all that long ago, where people were screaming for more BYOD. Now that it can be done reasonably securely, companies have gone “all in” on it. It’s much cheaper and easier than a lot of the alternatives. I’d love to convince my company to switch over to Yubikeys or the like. As good as push authentication is, it is still vulnerable to social engineering and notification exhaustion attacks. But, like everything in security, it’s a trade off between convenience, cost and security. So, that higher level of security is only used for accessing secure enclaves where highly sensitive data is kept.
As for the “why do they pick only this app”, it’s likely some combination of picking a perceived more secure option and “picking the easiest path”. For all the shit Microsoft gets (and they deserve a lot of it), the authenticator app is actually one of the better things they have done. SMS and apps like Duo or other Time based One Time Password (TOTP) solutions, can be ok for 2FA. But, they have a well known weakness around social engineering. And while Microsoft’s “type this number” system is only marginally better, it creates one more hurdle for the attacker to get over with the user. As a network defender, the biggest vulnerability we deal with is the interface between the chair and the keyboard. The network would be so much more secure if I could just get rid of all the damned users. But, management insists on letting people actually use their computers, so we need to find a balance where users have as many chances as is practical to remember us saying “IT will never ask you to do this!” And that extra step of typing in the number from the screen is putting one more roadblock in the way of people just blinding giving up their credentials. It’s a more active thing for the user to do and may mean they turn their critical thinking skills on just long enough to stop the attack. I will agree that this is a dubious justification, but network defenders really are in a state of throwing anything they can at this problem.
Along with that extra security step, there’s probably a bit of laziness involved in picking the Microsoft option. Your company picked O365 for productivity software. While yes, “Microsoft bad” the fact is they won the productivity suite war long, long ago. Management won’t give a shit about some sort of ideological rejection of Microsoft. As much as some groups may dislike it, the world runs on Microsoft Office. And Microsoft is the king of making IT’s job a lot easier if IT just picks “the Microsoft way”. This is at the heart of Extend, Embrace, Extinguish. Once a company picks Microsoft for anything, it becomes much easier to just pick Microsoft for everything. While I haven’t personally set up O365 authentication, I’m willing to bet that this is also the case here. Microsoft wants IT teams to pick Microsoft and will make their UIs even worse for IT teams trying to pick “not Microsoft”. From the perspective of IT, you wanting to do something else creates extra work for them. If your justification is “Microsoft bad”, they are going to tell you to go get fucked. Sure, some of them might agree with you. I spent more than a decade as a Windows sysadmin and even I hate Microsoft. But being asked to stand up and support a whole bunch because of shit for one user’s unwillingness to use a Microsoft app, that’s gonna be a “no”. You’re going to need a real business justification to go with that.
That takes us to the privacy question. And I’ll admit I don’t have solid answers here. On Android, the app asks for permissions to “Camera”, “Files and Media” and “Location”. I personally have all three of these set to “Do Not Allow”. I’ve not had any issues with the authentication working; so, I suspect none of these permissions are actually required. I have no idea what the iOS version of the app requires. So, YMMV. With no other permissions, the ability of the app to spy on me is pretty limited. Sure, it might have some sooper sekret squirrel stuff buried in it. But, if that is your threat model, and you are not an activist in an authoritarian country or a journalist, you really need to get some perspective. No one, not even Microsoft is trying that hard to figure out the porn you are watching on your phone. Microsoft tracking where you log in to your work from is not all that important of information. And it’s really darned useful for cyber security teams trying to keep attackers out of the network.
So ya, this is really not a battle worth picking. It may be that they have picked this app simply because “no one ever got fired for picking Microsoft”. But, you are also trying to fight IT simplifying their processes for no real reason. The impetus isn’t really on IT to demonstrate why they picked this app. It is a secure way to do 2FA and they likely have a lot of time, effort and money wrapped up in supporting this solution. But, you want to be a special snowflake because “Microsoft bad”. Ya, fuck right off with that shit. Unless you are going to take the time to reverse engineer the app and show why the company shouldn’t pick it, you’re just being a whiny pain in the arse. Install the app, remove it’s permissions and move on with life. Or, throw a fit and have the joys of dealing with two phones. Trust me, after a year or so of that, the MS Authenticator app on your personal phone will feel like a hell of a lot better idea.
This is incredibly well said and I agree 100%. I’ll just add that software TOTP is weaker than the MS Authenticator with number matching because the TOTP seed can still be intercepted and/or stolen by an attacker.
Ever notice that TOTP can be backed up and restored to a new device? If it can be transferred, then the device no longer counts for the “something you have” second factor in my threat model.
While I prefer pure phishing-resistant MFA methods (FIDO2, WHFB, or CBA), the support isn’t quite there yet for mobile devices (especially mobile browsers) so the MS Authenticator is the best alternative we have.
Ever notice that TOTP can be backed up and restored to a new device? If it can be transferred, then the device no longer counts for the “something you have” second factor in my threat model.
The administrator can restrict this.
We can restrict the use of software TOTP, which is what companies are doing when they move users onto the MS Authenticator app.
Admins can’t control the other TOTP apps like Google Authenticator or Authy unless they go full MDM. And I don’t think someone worried about installing the MS Authenticator app is going to be happy about enrolling their phone in Intune.
Edit: And even then, there is no way to control or force users to use a managed device for software TOTP.
Unless you are going to take the time to reverse engineer the app and show why the company shouldn’t pick it, you’re just being a whiny pain in the arse.
You’re god damn right they are, and they have every right to be. I’m in It too and I’m absolutely sick of the condescending attitude and downright laziness of people in the field who constantly act like what the users want doesn’t matter. If they don’t want it on their personal device, they don’t need a damn reason.
This job is getting easier all the time, complaining because users don’t want Microsoft trash on their phone might make marginally more work for you is exactly as whiny.
Or, throw a fit and have the joys of dealing with two phones. Trust me, after a year or so of that, the MS Authenticator app on your personal phone will feel like a hell of a lot better idea.
I see this all the time and it’s downright hysterical. Who the hell can’t handle having to have two devices on them?
“Oh yeah you’ll regret asking for this! Just wait till you have to pull out that other thing in your bag occasionally! You’ll be sorry you ever spoke up!”
Also, develop some pattern recognition. If you can’t see how Microsoft makes this substantially worse once other methods have been choked out, you haven’t learned a thing about them in the last 30 years.
You cannot be forced to give your employer access to your property, so just say that you cannot install it on your phone. Make sure you say that it isn’t possible. You don’t have to make it sound voluntary. You can just say “I cannot install this on my phone”. Even if the reason is because you refuse to install it, it doesn’t matter, that’s your call to make with your own property.
Your employer will either need to find another solution that you can use, or they will need to issue you a company phone so that you can use the mobile software they require you to use.
I work for a municipal government where we all receive a phone stipend because of 2FA.
If we use our personal phones for city business, they become searchable in Open Records Requests.
Also, the Microsoft Intune app, which checks if your device is compliant, requires a high level permission which allows it to remote wipe your device. This is in case your device has sensitive data and gets stolen/falls into the wrong hands. This is a very risky direction where we are handing off admin access of our phone to our employers.
You don’t need the Intune app to use the authenticator.
deleted by creator
I work for an MSP servicing 5k users all of whom I force to use M$ Auth app. Because it is the best Authenticator on the market, their company is paying for it, and because I look at the sign in logs for 3-4 different organizations every day to see literal hundreds of foreign sign-in attempts that fail due to M$ MFA. Yeah fuck monopolistic megacorps but understand when they provide an actual good product that is safe to use and actively protects you as an individual better than anything else out there.
All that said, the most likely reason is that they don’t want to make a document explaining how to set up MFA for each of the dozen+ apps out there and they certainly don’t want to talk to users who don’t know what they are doing with which ever app their kid set up for them
I’m sure you know what you’re doing better than 80% of the other employees in your office in this regard but I can tell you from experience, when one person gets their way, everyone wants theirs too.
You left out two things:
- It doesn’t change anything for the company if they allow the normal TOTP protocol in MS Authenticator. People who don’t care will use it. People who care can use other authenticator apps.
- The reason companies insist on MS Authenticator is because it reports the employee’s location.
-
It doesn’t change anything for the company with exception to billable IT time used when the authenticator confuses users which is already high with only one authenticator.
-
It doesn’t report location, Entra login reports location regardless of authentication method used.
- Why should users care about the company’s billables, first of all. Secondly, it’s a red herring because there’s nothing compelling them to offer support for 3rd party authenticators or even mention them. It’s just a flip switch in the settings. Savvy users will try a 3rd party first anyway.
- Potayto, potato. The location info comes from and including Authenticator. What is the point of fetching location in a TOTP generator if not to check up on it?
-
The company makes the rules under which you are employed. If you don’t like it, legislate against it or find another employer. Also, like I said, there are no 3rd party authenticators that are more secure with entra ID.
-
Like I said, M$ auth literally does not report location while authenticating. It only pulls location requests when signing in through the app to create the authentication token and even then it is not a requirement. Entra pulls location using your IP address on the device you are signing in with.
-
-
If your company is enforcing geographic location as a security qualifier then MS Authenticator can poll your device. Also you can use push authentication with the MS suite.
It’s done by IP address not phone or laptop GPS.
I just got it enabled and it most definitely wants your location. It has to poll my device’s location once an hour by my work’s policy.
That might be an optional requirement which can be set by the admins. On my phone (Android) I have disabled location permissions for the MS Authenticator app. I have no issues logging in. I also regularly have to deal with alerts for users with improbable geographic logins, because they have a VPN on their phone. So, they login from their PC from one location and then their phone logs into Azure from the other side of the planet moments later.
Yes it’s optional. A lot of companies have compliance requirements where none of this would fly.
The ms authenticator works in ‘reverse’ in that you type the code on the screen into the phone. I assume this is preferable to corporate as you can’t be social engineered into giving out a 2fa token. It also has a “no this wasn’t me” button to allow you to (I assume) notify IT if you are getting requests that are not you.
I don’t believe that the authenticator app gives them access to anything on your phone? (Happy to learn here) And I think android lets you make some kind of business partition if you feel the need to?
And the authenticator is configurable and they can enforce some device security like not rooted, bootloader locked, storage encryption is on through the Intune work profile. If you work on a bank, you don’t want the 2FA to even live on a device where the user gives root access to random apps that could extract the keys (although at this point come on you can probably afford Yubikeys).
As a user, not a fan, but as an IT department it makes complete sense.
You’re thinking of Intune and the Company Portal app. That’s where the device enforcement comes into play. Authenticator can be installed on any system regardless of its state and their enforcement policies.
For now.
The point is, the patterns in software security are pretty clear. People will keep finding ways around the authenticator, eventually someone will get their account compromised, and at some point it will get more restrictive.
It doesn’t matter how it works now, because once it’s normalized that this Microsoft app must be on your phone so you can work, and it must operate exactly as it wishes to, Microsoft will be able to start pushing more restrictions.
At a certain point, the device simply has to be verified as secure in and of itself before it can keep another device secure. Meaning your phone will be brought under your workplace’s security policies.
What? No. This is complete hyperbole and speculation, and off at that too. Their Authenticator is used for personal accounts as well as managing 3rd party TOTP tokens. It’s no different than Google Authenticator, DUO Authenticator or Okta Authenticator. I could see that on a far end if they come out with a business only version, but given that everything is backed on their same platform it doesn’t behoove them to do that.
If it is just TOTP, you can use any other TOTP app, such as Aegis or FreeOTP+.
And no, Microsoft cannot be trusted on not doing anything bad. The app is full of trackers and has an excessive list of permissions it “requires”.
For comparison, Aegis and FreeOTP+ work without trackers and way less permissions.
Microsoft has a long track record of leaks. Just naming the 2 most prominent:
We let anyone use any authentication app. The Microsoft one is the best one. I’m pushing to make us exclusive because I’m sick of the IT support guys trying to support a dozen apps. You don’t have to use your Microsoft account provided to use the app or back up your credentials.
Upvote for providing an explanation, though I personally favour employee freedom.
Is Microsoft Authenticator available on Linux?
Ms auth is a mobile only application. Not even available on windows or macOS. The point of it is to provide a second factor of authentication in the for of “something you have”. There are a few factors that can be used for authentication. Something you know (password), something you have (hardware like a key or a phone), and something you are (iris scan, DNA, fingerprint, other biometric). Ms auth uses something you have and something you are to authenticate most users. You provide a password and then you prove you have your cellphone and your cellphone checks your biometrics to see if you are you. In that way, it is effectively checking all 3 factors.
Why couldn’t “laptop” be a second factor?
It is using windows hello on compatible machines and through persistent tokens on Mac and Windows machines not compatible with hello. You have to create that token with a known factor such as a mobile device but outside of that, users almost never have to sign in with persistent tokens.
Can you claim that you don’t have a smartphone? Then they’d either have to provide an alternative authentication method, or provide you with a phone.
I’ve been part of the Microsoft Bad crowd for well over 25 years now, but there are a few things that I will concede that MS has done well. Authenticator is one of them. I haven’t looked much into the privacy aspect of it, though.
If it has Microsoft’s name on it, the privacy implications are horrendous. Guaranteed.
Strong disagree with Microsoft Authenticator being well done - anything that is needlessly incompatible with competitors is bullshit. Either make your authenticator use the standard or fuck off.
You can say no, and if they won’t budge buy a cheap old phone off Swappa or craigslist or marketplace for $20 install Ms authenticstor on it and leave it at your desk.
What do you have against ms authenticator?
It’s proprietary closed source software, and if it’s mandated to run on your device, it could be collecting a lot of telemetry that is not in your best interest.
It increases your security risk surface, more software to be made secure and update etc it’s an extra burden
Removed by mod
In my case they didn’t disable the option to use any authenticator for 2FA.
So I just use another one.
I don’t see why forcing MS Authenticator will be better than any other authenticator.
The person who forces it is for sure not a security expert.
It will be easier to hackers to hack 2FA when they know what the authenticator app is, versus hundreds of different authenticator clients.
deleted by creator
How would MS Authenticator make it any better than TOTP?
To break TOTP, the attacker would need to:
a) be able to observe the initial exchange of the TOTP secrets. To do that, the attacker needs access to the victim’s computer (on user level) at that specific time they set up TOTP. TOTP is a TOFU concept and thus not designed to protect against that. However, if the attacker controls the victim’s computer at that time, the victim is screwed anyways even before setting up 2FA.
b) have access to the TOTP app’s secret storage and to the victim’s login credentials (e.g. by phishing). If the attacker can gain that level of access, they would also have access to the Microsoft Authenticator’s secret storage, so there is no benefit of the Microsoft app.
On the other hand, Microsoft Authenticator is a very huge app (>100MB is huge for an authenticator app, Aegis is just 6MB, FreeOTP+ 11MB), i.e. it brings a large attack surface, especially by connecting to the internet.
I don’t think Microsoft Authenticator brings security benefits over a clean and simple TOTP implementation.
deleted by creator
It will be easier to hackers to hack 2FA when they know what the authenticator app is, versus hundreds of different authenticator clients.
Security through obscurity is not security.
Additionally, any method that generates a code locally that needs to match the server will not be secure if you can extract the key used locally. Yes you can argue that more users makes a juicier target, but I’d argue that Microsoft has the resources spend reducing the chance of an exploit and the resources to fix it fairly quickly. Much more so than any brand new team.
The default authentication option for the company I work for is that a code is displayed in the screen of the device I’m logging into AND a push notification is sent to the Authenticator app, the app then prompts me to enter the code from authenticating device. To break that you’d need the username, password, a clone of the phone/device used to authenticate (or the original), and the user’s PIN for that device (MS Authenticator requires this to complete the authentication.)
Yes MS Authentication services do sometimes go down, and yea it can impact my ability to work
I am by no means a MS fanatic, but I’d trust them for mission critical authentication over something like Authy.
I’m also not a fan of MS spyware.
But in defence of the MS authenticator, the 2FA prompts it sends are very convenient, how they pop up and ask for the number displayed on screen, its definitely more secure than just the one time code.
Plus it also shows what phone the user is using when they install and configure the authenticator app, this is also very useful if you suddenly see the user accessing their mail or one drive from another mobile device.