So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
You can’t just have microsoft text you a code? That’s what I do
That’s the solution I picked at work. Refused to install that Microsoft software on my personal phone, but instead provided a phone number.
If you have a VoIP provider you could even try to the VoIP number for MFA instead of providing your real mobile number.
If IT make a comment about you not having the app, ask if they intend to provide a company device for that.
SMS is woefully insecure.
You might not own the company but do you like job hunting, the prospect of having the stigma of being the guy who caused a breach following you around, or screwing over your coworkers’. Noone is an island.
Lol what are you talking about ? Stigma ,screwing over coworkers ? Lol dude you need to relax and get out of your room, make friends and hangout with them. It looks like you have made work ,your friend. Take my advice yea, all 9-5s are just a number including you hence you have an employee number. Do your 9-5 and go home yea. Don’t get too involved coz 9-5s are easily replaceable.
Weird seeming personal attack there. In case it is defensiveness from a perceived attack from myself, that’s not what was intended. My intent was to point out the potential consequences of viewing it in such a seemingly myopic way.
-
Job hunting and stigma: If one’s accounts are found to be the cause of a breach, and it is found to be due to negligence, there’s a good chance of that resulting in a firing. Being fired due to security-related negligence is likely to make it a challenge to get past screening when hunting for a job (that’s what I mean by stigma). And finally, job hunting fucking sucks, in my opinion.
-
Screwing over co-workers: You don’t have to be friends to care about how your action or inaction impacts others. Being the cause of a breach has a real possibility of getting people laid off, if the scope is significant. Maybe less of a big deal if you’re in most countries outside of the US but, here, the ramifications are pretty substantial. For example, I work with several people who are undergoing chemotherapy or who have spouses needing medical care. If laid off, health insurance evaporates and now they literally cannot afford the treatments necessary to live. Others have mortgages or rent to pay. Execs are not even going to entertain the idea of taking on the responsibility that is claimed to be the reason for their absurd pay.
Yes, it is healthy to set boundaries between your work life and personal life and to leave work at work. But, like I said, noone is an island, our actions in our work life can have profound impacts on others.
WoW! You actually need help. Its not an attack, i genuinely feel like there’s something wrong with you and you should see a therapist so that you can understand , accept and acknowledge the issue.
Are you autistic by any chance ? I feel like you have made “work” the purpose of your life. Like without cybersecurity, there’s no purpose in life.
I wish I could help you but I am no exoert. Please go see a therapist, please.
Are you autistic by any chance ? … Please go see a therapist, please.
Actually, quite likely on the spectrum and diagnosed with ADHD (this is a major contributor to my verbosity, so apologies if it comes across as a big rant). I do have a therapist indeed and have found it very helpful - highly recommend it if you’re in need. Not sure why this is relevant.
Maybe we’re hitting a bit of an “impedence mismatch” here. I suspect, partly as you’re coming through from an Aussie instance that it may be partly due to a lack of context on how fucked things are, labor-wise in the States. Healthcare here is tied to one’s employment, intentionally. It is technically possible to get insurance through a public exchange but, practically speaking, it’s not going to do much, especially if one has chronic or severe health problems. Also, we have very poor protections against firings and layoffs (most US labor contracts are pretty well one-sided).
Is work the purpose of my life? Fuck no. I have, however, been repeatedly screwed over, job-wise, by things outside of my control (Recession, offshoring, mergers, untreated ADHD). It is pretty awful, if you haven’t yourself, I recommend giving the experience a pass. This has made me acutely aware of the impact that my actions can have on others, not just the immediate but also the secondary and tertiary impacts. I’m also the primary income for my household, so, that rather raises the stakes a bit.
Put these things together with the fact that I now have have coworkers who will literally die without medical care (insurance through work - so cancer patients have to have a job or a spouse with great coverage) and it should paint a good picture for someone with a healthy dose of empathy. Because of how labor is structured in the US, screwing up in a manner that has a big impact on the company means that I could be killing someone indirectly. Should that kind of thing be an employee’s responsibility? No. But that’s the reality of it. Actions have consequences within the system that one operates in, fair or not.
As for cybersecurity, somewhat fair. I’m not fixated on it but do definitely have a more significant interest than most. With the overall increase in cyberattacks on companies, states, and individuals, I’d recommend everyone being more security conscious.
-
If the company cared, they would provide MFA hardware like Yubikeys to their employees.
True. App-based is a bit more secure than SMS but nothing beats hardware.
Oh, well they let us do it at work so idk
deleted by creator
I put the stupid app on my phone.
Never use your own personal phone for work related stuff.
If they want you to use a phone-based app, ask them to help you install it, then bring in an early-2000s feature phone that boots straight from ROM, no Android or KaiOS under the hood.
As in, force the company to get you a company phone.
deleted by creator
deleted by creator
deleted by creator
What am I going to do, quit over using an app?
Why quit?
Ask them for help installing the app.
Then bring in an early-2000s flip phone with your SIM already in it, so you can prove that you are using it.
An employer cannot demand that you buy your own work tools unless it is written into the employment contract (auto mechanics, etc.). Provide them with a phone that they themselves cannot install the app on. Any early-2000s feature phone will not have an operating system with app functionality. An older but still smartphone-like BlackBerry running BBOS10 will also work in this regard, especially if you have uninstalled the Amazon App Store.
Even an Android phone whose newest possible version of Android pre-dates the oldest version that this app will install on can also work. For example, any Android phone which cannot be upgraded past Android 7 would be perfect with respect to MS Authenticator, as the current version will only install on Android 8 or newer. If you bring in a phone that has no ability to have Android 8 or later installed, your place of work will either have to exempt you or provide you with a work phone for that app.
You have solutions to keep work apps off of your personal devices, and few employers will have the legal ability to force you to buy a modern phone just for an app of their choosing. Moreover, it is your right to not have to suffer unreasonable employer demands just to have a job. That’s why worker protections exist in places where conservatives haven’t eviscerated those protections.
Act like you are a smartphone-phobe, and let them figure things out.
deleted by creator
You do what you think you need to do, buuuuuut…
I’m in a senior level engineering position.
You are already exceedingly difficult to trivially replace. It’s entry-level devs which are a dime a dozen. Senior level engineering positions are frequently open for many months because candidates in general are difficult to find, much less good candidates.
Colour me biased, but I strongly think you are significantly underselling your own power and influence. Any company worth working for isn’t going to turf a senior engineer over a $40 stipend unless their middle manglement positions are staffed with morons.
Well, it’s your calculus to make, not mine.
deleted by creator
Never use your own personal phone for work related stuff.
As someone who does this, my main issue is now I am carrying around two phones. This is a daily annoyance for me.
My next round I think I am going to drop the work phone and use Androids profile options. Setup a work profile on my personal phone and just use that. Then just have work reimburse me for my personal phone/plan.
I am in IT and I feel like I speak for the industry we don’t care. Some of my customers have regulators who make arbitrary and capricious decisions with a minimal understanding of infosec but we have to keep the customer compliant.
≥ and force Microsoft Authenticator on the (private) phones of both employees and volunteers.
Refuse to use the service until they provide you with a work appointed phone. Volunteers admitedly have a more difficult time with that but as someone else said you can indeed do text/call options.
a work appointed phone
With all the tracking that comes with it.
Not much of a privacy risk if it where used for a dedicated purpose and just left off in a drawer otherwise though. My employers pushed the notion of MS authenticator, but left the options to use regular TOTP available, just had to look a bit to find them. Even if they absolutely forced corp software though, a cheap wifi-only setup device is a viable option.
Who cares? It’s a work phone that is used only for work, they are entitled and expected to track it as much as my work laptop or any other company equipment. That’s not a privacy issue unless you’re using company resources for personal stuff. If I don’t want them tracking me I just turn it off or leave it at home.
They might expect you to be available via the phone 24/7 and carry such sensor packed device anywhere.
I’ll be available 24/7 when they pay me 24/7.
This is the way.
And my point was that a separate corporate device makes it trivial to manage my privacy and availability. Using my personal phone for work is a hard NO.
Your point is illogical.
You stated
they are entitled and expected to track it
Just to turn around and back-peddle
If I don’t want them tracking me I just turn it off
Are they entitled to it or not? If they’re entitled, then why do you have a right to cut it off? I’d argue they have no right to it to track me off hours at all… regardless of the device used. u2f tokens like yubikey would be just as sufficient for 2fa with none of the tracking.
The point is that the phone will be tracking 24/7 regardless of your actual availability.
A faraday cage on your work desk can take care of that during off hours, especially since most batteries have become non-removable and phones don’t truly shut down anymore. Just put your work phone into the cage when your shift ends, take it back out when your next shift starts. Easy peasy!
And if they demand 24/7 access, they will need to provide 24/7 pay.
Not sure I understand what the faraday cage would accomplish. It’s the companies device. You’d be skipping this presumption outlined earlier in the thread
they are entitled and expected to track it as much as my work laptop or any other company equipment.
Leaving the work phone at work is a valid answer to me. Assuming that doesn’t actually come with any other downsides (working offsite and having to return to the office on unpaid time just to drop off the phone for example).
Agreed. From a privacy perspective, it is a lot safer to run the app in an environment where you have admin control. E.g. disable when not in use, block access to sensitive device information, limit background and network activity as much as possible.
yes? use it solely for work purposes, at work, turn it off when you clock out…
your employer is not your friend.
I work for a global company and help manage MFA for everyone…I use Google’s authenticator on my personal phone as they didn’t give me a work phone.
I still don’t understand why a hardware token isn’t being used. It’s such a low cost option when compared to buying a phone and plan for a user.
Because you can’t call someone on a hardware token.
But not everyone needs to have a work phone, some just need to authenticate
Then buy them an iPod touch.
you should really use FreeOTP+ instead. https://f-droid.org/en/packages/org.liberty.android.freeotpplus/
Get a used /cheap phone or tablet, only turn it on or enable wifi when you need the app. Don’t use it for anything else. I think that covers all the bases.
Just ask whether they can provide a phone as well.
I work for an MSP servicing 5k users all of whom I force to use M$ Auth app. Because it is the best Authenticator on the market, their company is paying for it, and because I look at the sign in logs for 3-4 different organizations every day to see literal hundreds of foreign sign-in attempts that fail due to M$ MFA. Yeah fuck monopolistic megacorps but understand when they provide an actual good product that is safe to use and actively protects you as an individual better than anything else out there.
All that said, the most likely reason is that they don’t want to make a document explaining how to set up MFA for each of the dozen+ apps out there and they certainly don’t want to talk to users who don’t know what they are doing with which ever app their kid set up for them
I’m sure you know what you’re doing better than 80% of the other employees in your office in this regard but I can tell you from experience, when one person gets their way, everyone wants theirs too.
You left out two things:
- It doesn’t change anything for the company if they allow the normal TOTP protocol in MS Authenticator. People who don’t care will use it. People who care can use other authenticator apps.
- The reason companies insist on MS Authenticator is because it reports the employee’s location.
-
It doesn’t change anything for the company with exception to billable IT time used when the authenticator confuses users which is already high with only one authenticator.
-
It doesn’t report location, Entra login reports location regardless of authentication method used.
- Why should users care about the company’s billables, first of all. Secondly, it’s a red herring because there’s nothing compelling them to offer support for 3rd party authenticators or even mention them. It’s just a flip switch in the settings. Savvy users will try a 3rd party first anyway.
- Potayto, potato. The location info comes from and including Authenticator. What is the point of fetching location in a TOTP generator if not to check up on it?
-
The company makes the rules under which you are employed. If you don’t like it, legislate against it or find another employer. Also, like I said, there are no 3rd party authenticators that are more secure with entra ID.
-
Like I said, M$ auth literally does not report location while authenticating. It only pulls location requests when signing in through the app to create the authentication token and even then it is not a requirement. Entra pulls location using your IP address on the device you are signing in with.
-
-
We let anyone use any authentication app. The Microsoft one is the best one. I’m pushing to make us exclusive because I’m sick of the IT support guys trying to support a dozen apps. You don’t have to use your Microsoft account provided to use the app or back up your credentials.
I’m pushing to make us exclusive because I’m sick of the IT support guys trying to support a dozen apps.
While I understand this… Why not just refuse to support and NOT remove the capability for all those who don’t need support and work just fine with their own? It’s not like TOTP isn’t a solved problem at this point.
Eg. “we only support MS auth, If you choose to use your own you will not receive any company support.”
Because that shit only works in fantasy land. If you can use it, employees WILL expect support and will repeatedly raise hell if they don’t get it. Is a losing battle.
Because that shit only works in fantasy land.
Glad to know my company, and the companies I contract for are fantasy land then.
employees WILL expect support
And they will get it if they use the company default options.
Nothing about this is losing. I’m CIO for 3 separate companies (2 by contract). None of them have issues with this type of policy. We do bare minimum to not limit the toolset they can use and support a specific set of tools that we like the best. That’s it. Those who are smart enough to use their own tools clearly know enough about IT to make good decisions that we can trust. The rest use the default tools… and we support those tools explicitly.
More importantly, we’re not shitting on those who ARE making good decisions overall, but just have a preference. That makes the employees feel heard and keeps them happy. Keeping them happier keeps everyone more productive.
The option to use TOTP is already well hidden. It’s not like someone who does not know what he is looking for and uses an Authenticator already will accidentally select it.
As a security enthusiast, please also push for allowing physical security keys. They are awesome.
Upvote for providing an explanation, though I personally favour employee freedom.
Is Microsoft Authenticator available on Linux?
Ms auth is a mobile only application. Not even available on windows or macOS. The point of it is to provide a second factor of authentication in the for of “something you have”. There are a few factors that can be used for authentication. Something you know (password), something you have (hardware like a key or a phone), and something you are (iris scan, DNA, fingerprint, other biometric). Ms auth uses something you have and something you are to authenticate most users. You provide a password and then you prove you have your cellphone and your cellphone checks your biometrics to see if you are you. In that way, it is effectively checking all 3 factors.
Why couldn’t “laptop” be a second factor?
It is using windows hello on compatible machines and through persistent tokens on Mac and Windows machines not compatible with hello. You have to create that token with a known factor such as a mobile device but outside of that, users almost never have to sign in with persistent tokens.
It’s on Android, but
I meant more generally
If you’re in the US, that could very well get you fired in any “at will employment” state. It’s shitty, fucked up, and should be illegal, but the legislators seem to represent wealthy corporations way more than they represent their human constituents (GOP especially).
I don’t really get the rub here, JM all for separating work devices and personal devices but the 2fa apps don’t leak any info and the company can’t “do” anything to your phone remotely. The apps work in air plane mode. I also want to bet more than half the users that complain about this use the companies free WiFi.
Get a flip phone and say you can’t install it, however SMS 2fa is very insecure.
The apps work in air plane mode
They’re talking about Microsoft Authenticator, not any MFA. It doesn’t work on airplane mode if they require number matching.
also want to bet more than half the users that complain about this use the companies free WiFi.
…and? The wifi isn’t installed on their phone, the fuck does that matter?
If MS Authenticator still works with totp urls just like any other authenticator then you can just use some open source authenticator. Some password managers even have one built it.
Declare yourself a member of The Church of Emacs and claim your religious rights are being violated.
While it’s not technically safer, MS does make it a lot easier to set policy’s where you check a box for MSAuth.
Since the config is less complex and easier, it’s demonstratably safer to implement it this way.
This could indeed be a valid reasoning. I’m going to investigate a bit. If you can easily cough up some MS documentation page on this topic please do
