So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
You have the right not to use your personal hardware for work, and the employer must provide the necessary equipment to accomplish your job.
Ask if you could get a hardware token (ie: Yubikey Security Key) instead of using Microsoft Authenticator to fulfill the security requirements. It’s low cost and doesn’t require a subscription unlike a cellphone plan.
You have the right not to use your personal hardware for work, and the employer must provide the necessary equipment to accomplish your job.
Reputable Source?
At least in Quebec:
Employers’ Responsibilities Towards
These are the main ones:- Employers must give their employees a place to work and make sure they have access to it. They must give them the tools, equipment and other things they need to do their work.
https://educaloi.qc.ca/en/capsules/rights-and-responsibilities-of-employers-and-employees/
we have o365 and while i do have the authenticator, you should also be able to add a phone number or email address for text/email codes instead of the authenticator (i know my coworker doesn’t have the authenticator but gets codes to her sms)
Is your company mandating Push Authentication or are you entering 6-digit codes?
If it’s the former, MS Authenticator is the only option.
If it’s the latter, you can use any TOTP app you like, e.g. Aegis.
Afaik, Microsoft’s OTP implementation is proprietary and not TOTP.
But also, my understanding is you can select which MFA schemes you can use, and allow SMS, MS MFA, and TOTP.
Source: employer used to allow sms, locked it down, and totp apps can’t parse the MS authenticator QR codes.
Im using aegis as totp with microsoft at my company right now
Not true. Work at an MSP that has hundreds of Microsoft accounts in our password managers with TOTP. We even migrated password managers and had no issues with TOTP.
That said, we are moving away from shared admin accounts and we will have delegated access enabled with JIT for better security soon.
Ok. Did a quick read. And I think I mixed my words a little.
Yes, Active Directory supports TOTP fine.
But my understanding is rollouts can disable TOTP, and instead force the use of the proprietary scheme requiring the MS Authenticator app (which also supports TOTP) that uses push notifications to the device.
As is the case with my employer. They didn’t enable TOTP, and I am unable to use the provided MFA QR code with 1Password.
When you start the MFA registration process for a Microsoft account and select the Authenticator as the method there is a link at the bottom of the page about using a different app. Sure it will only generate a rotating code instead of the “easier” method of just entering a 2 digit number when prompted on the phone, but entering 6 numbers isn’t that much more difficult than 2.
I work for an MSP servicing 5k users all of whom I force to use M$ Auth app. Because it is the best Authenticator on the market, their company is paying for it, and because I look at the sign in logs for 3-4 different organizations every day to see literal hundreds of foreign sign-in attempts that fail due to M$ MFA. Yeah fuck monopolistic megacorps but understand when they provide an actual good product that is safe to use and actively protects you as an individual better than anything else out there.
All that said, the most likely reason is that they don’t want to make a document explaining how to set up MFA for each of the dozen+ apps out there and they certainly don’t want to talk to users who don’t know what they are doing with which ever app their kid set up for them
I’m sure you know what you’re doing better than 80% of the other employees in your office in this regard but I can tell you from experience, when one person gets their way, everyone wants theirs too.
You left out two things:
- It doesn’t change anything for the company if they allow the normal TOTP protocol in MS Authenticator. People who don’t care will use it. People who care can use other authenticator apps.
- The reason companies insist on MS Authenticator is because it reports the employee’s location.
-
It doesn’t change anything for the company with exception to billable IT time used when the authenticator confuses users which is already high with only one authenticator.
-
It doesn’t report location, Entra login reports location regardless of authentication method used.
- Why should users care about the company’s billables, first of all. Secondly, it’s a red herring because there’s nothing compelling them to offer support for 3rd party authenticators or even mention them. It’s just a flip switch in the settings. Savvy users will try a 3rd party first anyway.
- Potayto, potato. The location info comes from and including Authenticator. What is the point of fetching location in a TOTP generator if not to check up on it?
-
I won’t allow any MS stuff on any of my devices.
I managed to get around the MS auth app and am using aegis right now.
I don’t really get the rub here, JM all for separating work devices and personal devices but the 2fa apps don’t leak any info and the company can’t “do” anything to your phone remotely. The apps work in air plane mode. I also want to bet more than half the users that complain about this use the companies free WiFi.
Get a flip phone and say you can’t install it, however SMS 2fa is very insecure.
The apps work in air plane mode
They’re talking about Microsoft Authenticator, not any MFA. It doesn’t work on airplane mode if they require number matching.
also want to bet more than half the users that complain about this use the companies free WiFi.
…and? The wifi isn’t installed on their phone, the fuck does that matter?
If you’re in the US, that could very well get you fired in any “at will employment” state. It’s shitty, fucked up, and should be illegal, but the legislators seem to represent wealthy corporations way more than they represent their human constituents (GOP especially).
You can’t just have microsoft text you a code? That’s what I do
That’s the solution I picked at work. Refused to install that Microsoft software on my personal phone, but instead provided a phone number.
If you have a VoIP provider you could even try to provider the VoIP number for MFA instead of providing your real mobile number.
If IT make a comment about you not having the app, ask if they intend to provide a company device for that.
SMS is woefully insecure.
If the company cared, they would provide MFA hardware like Yubikeys to their employees.
Wish I gave a shit. I don’t own the company so fuck it
You might not own the company but do you like job hunting, the prospect of having the stigma of being the guy who caused a breach following you around, or screwing over your coworkers’. Noone is an island.
Lol what are you talking about ? Stigma ,screwing over coworkers ? Lol dude you need to relax and get out of your room, make friends and hangout with them. It looks like you have made work ,your friend. Take my advice yea, all 9-5s are just a number including you hence you have an employee number. Do your 9-5 and go home yea. Don’t get too involved coz 9-5s are easily replaceable.
Weird seeming personal attack there. In case it is defensiveness from a perceived attack from myself, that’s not what was intended. My intent was to point out the potential consequences of viewing it in such a seemingly myopic way.
-
Job hunting and stigma: If one’s accounts are found to be the cause of a breach, and it is found to be due to negligence, there’s a good chance of that resulting in a firing. Being fired due to security-related negligence is likely to make it a challenge to get past screening when hunting for a job (that’s what I mean by stigma). And finally, job hunting fucking sucks, in my opinion.
-
Screwing over co-workers: You don’t have to be friends to care about how your action or inaction impacts others. Being the cause of a breach has a real possibility of getting people laid off, if the scope is significant. Maybe less of a big deal if you’re in most countries outside of the US but, here, the ramifications are pretty substantial. For example, I work with several people who are undergoing chemotherapy or who have spouses needing medical care. If laid off, health insurance evaporates and now they literally cannot afford the treatments necessary to live. Others have mortgages or rent to pay. Execs are not even going to entertain the idea of taking on the responsibility that is claimed to be the reason for their absurd pay.
Yes, it is healthy to set boundaries between your work life and personal life and to leave work at work. But, like I said, noone is an island, our actions in our work life can have profound impacts on others.
WoW! You actually need help. Its not an attack, i genuinely feel like there’s something wrong with you and you should see a therapist so that you can understand , accept and acknowledge the issue.
Are you autistic by any chance ? I feel like you have made “work” the purpose of your life. Like without cybersecurity, there’s no purpose in life.
I wish I could help you but I am no exoert. Please go see a therapist, please.
-
Lots of great conversation here, I also work somewhere where this is required. If I didn’t need my phone for access to chat, I just wouldn’t use it for work. Alternatively, my phone has a work profile so I use that for any work related or non-FOSS apps. My IT guy even approved of my methods and said do the minimum and never more with tech.
When setting up the authentication when it asks you to set up Microsoft authenticator there should be a drop-down at the bottom of the page that says use another option that will allow you to use a phone call or text message as your chosen method of authentication.
This can be configured for the Microsoft tenant. The admin can allow all possible MFA vectors or restrict it to just a single one such as the Microsoft Authenticator. Microsoft themselves are also pushing the Authenticator, which is actually fine. I haven’t done any packet captures to see what it is sending back to Redmond, but the most secure method is great. The service you are logging into generates a two-digit number that you must enter when prompted in the Authenticator app.
Still, I’ve seen issues arise when an employee only has a flip phone or flat out refuses to install any app required for work on their personal devices. IT departments will typically fold to pressure and allow a call or text for MFA because they did not want to buy, configure, and send out phones to employees refused.
I’ve also seen IT send a company phone to a specific user that refused to allow Microsoft to have their phone number for calls or texts too. Legal told them they could not require the employee to use their personal property or reveal personal details to Microsoft in order to work.
We let anyone use any authentication app. The Microsoft one is the best one. I’m pushing to make us exclusive because I’m sick of the IT support guys trying to support a dozen apps. You don’t have to use your Microsoft account provided to use the app or back up your credentials.
Upvote for providing an explanation, though I personally favour employee freedom.
Is Microsoft Authenticator available on Linux?
Ms auth is a mobile only application. Not even available on windows or macOS. The point of it is to provide a second factor of authentication in the for of “something you have”. There are a few factors that can be used for authentication. Something you know (password), something you have (hardware like a key or a phone), and something you are (iris scan, DNA, fingerprint, other biometric). Ms auth uses something you have and something you are to authenticate most users. You provide a password and then you prove you have your cellphone and your cellphone checks your biometrics to see if you are you. In that way, it is effectively checking all 3 factors.
Why couldn’t “laptop” be a second factor?
It’s on Android, but
I’m pushing to make us exclusive because I’m sick of the IT support guys trying to support a dozen apps.
While I understand this… Why not just refuse to support and NOT remove the capability for all those who don’t need support and work just fine with their own? It’s not like TOTP isn’t a solved problem at this point.
Eg. “we only support MS auth, If you choose to use your own you will not receive any company support.”
Because that shit only works in fantasy land. If you can use it, employees WILL expect support and will repeatedly raise hell if they don’t get it. Is a losing battle.
The option to use TOTP is already well hidden. It’s not like someone who does not know what he is looking for and uses an Authenticator already will accidentally select it.
Because that shit only works in fantasy land.
Glad to know my company, and the companies I contract for are fantasy land then.
employees WILL expect support
And they will get it if they use the company default options.
Nothing about this is losing. I’m CIO for 3 separate companies (2 by contract). None of them have issues with this type of policy. We do bare minimum to not limit the toolset they can use and support a specific set of tools that we like the best. That’s it. Those who are smart enough to use their own tools clearly know enough about IT to make good decisions that we can trust. The rest use the default tools… and we support those tools explicitly.
More importantly, we’re not shitting on those who ARE making good decisions overall, but just have a preference. That makes the employees feel heard and keeps them happy. Keeping them happier keeps everyone more productive.
As a security enthusiast, please also push for allowing physical security keys. They are awesome.
As a cryptography nerd, +100000 to that
Everyone at my job who refused this and caused a huge stink are the ones that are seemingly not around about a year and half later. Not saying you aren’t right or anything but I put the stupid app on my phone.
I put the stupid app on my phone.
Never use your own personal phone for work related stuff.
If they want you to use a phone-based app, ask them to help you install it, then bring in an early-2000s feature phone that boots straight from ROM, no Android or KaiOS under the hood.
As in, force the company to get you a company phone.
Never use your own personal phone for work related stuff.
As someone who does this, my main issue is now I am carrying around two phones. This is a daily annoyance for me.
My next round I think I am going to drop the work phone and use Androids profile options. Setup a work profile on my personal phone and just use that. Then just have work reimburse me for my personal phone/plan.
I have no union and no leverage, they said no. What am I going to do, quit over using an app? My job pays my bills and I don’t have another one lined up, this isn’t the hill I’d die on.
Contact a lawyer that specialize in worker rights. If they make you use private property for work they should compensate you
You don’t live in reality if you think anyone is going to retain a labor lawyer and sue their employer over using an authenticator app without a phone stipend.
It doesn’t usually need to go to court if the lawyer can remind them of what laws they’re breaking
What am I going to do, quit over using an app?
Why quit?
Ask them for help installing the app.
Then bring in an early-2000s flip phone with your SIM already in it, so you can prove that you are using it.
An employer cannot demand that you buy your own work tools unless it is written into the employment contract (auto mechanics, etc.). Provide them with a phone that they themselves cannot install the app on. Any early-2000s feature phone will not have an operating system with app functionality. An older but still smartphone-like BlackBerry running BBOS10 will also work in this regard, especially if you have uninstalled the Amazon App Store.
Even an Android phone whose newest possible version of Android pre-dates the oldest version that this app will install on can also work. For example, any Android phone which cannot be upgraded past Android 7 would be perfect with respect to MS Authenticator, as the current version will only install on Android 8 or newer. If you bring in a phone that has no ability to have Android 8 or later installed, your place of work will either have to exempt you or provide you with a work phone for that app.
You have solutions to keep work apps off of your personal devices, and few employers will have the legal ability to force you to buy a modern phone just for an app of their choosing. Moreover, it is your right to not have to suffer unreasonable employer demands just to have a job. That’s why worker protections exist in places where conservatives haven’t eviscerated those protections.
Act like you are a smartphone-phobe, and let them figure things out.
Yeah, again I never said you were wrong, just not the hill I’d die on for 40 dollars worth of compensation, If I were going to agitate and apply pressure at work it would be for a significant compensation boost to the tune of tens of thousands of dollars. This won’t work for me as I’m in an senior level engineering position.
You do what you think you need to do, buuuuuut…
I’m in a senior level engineering position.
You are already exceedingly difficult to trivially replace. It’s entry-level devs which are a dime a dozen. Senior level engineering positions are frequently open for many months because candidates in general are difficult to find, much less good candidates.
Colour me biased, but I strongly think you are significantly underselling your own power and influence. Any company worth working for isn’t going to turf a senior engineer over a $40 stipend unless their middle manglement positions are staffed with morons.
Well, it’s your calculus to make, not mine.
Do like a friend of mine. He has a 15 dollar a month phone(mint mobile) that he uses for all his job related bullshit. Its all it does and he has no personal accounts on it at all. It kinda sucks that they insist on him using his own equipment for it but its the cheapest way to keep them out of his personal life.
Would you even need a monthly plan for this kind of thing? It just needs to be able to install the app and run it. If it needs internet you can connect to WiFi. You can get a sim free android for about £50 outright now.
You do if you want to provide that as your “work” number. Unless you’re going to jump though VoIP hoops.
Surely your work landline number is your work number? The phone is just to run the authenticator service.
Not everyone has a desk phone (much less a desk).
If you don’t have a desk phone (or desk) then you’d have a company supplied mobile if they expected you to take business calls. No?
And here I am wishing they would come out with an authenticator watch app, so I didn’t have to do all the work of taking my phone out of my pocket and swiping a few times.
It used to exist, and it was glorious!
😮
What’s needed is an online 2fa service that just takes a username and copies the code to the clipboard.
/s before I get any replies.
The burden…
It’s my lot in life…
Quick question, am I the only one to take my phone out of my pocket and put it on the desk or on a stand? All my colleagues place their phones on their desks as well. Are we weird? At home I have a charging stand.
I work from home. I’m lucky if I can find my phone more than 65% of the time
lol, that makes more sense then.
I have a Google Home device that I can ask “where’s my phone?” and my phone will start to ring. Very handy when I’m in a rush.
Oh I can do this (and do) with my iPhone, but I hate to have to have to, it feels like giving up lol
