210
submitted 6 months ago by Martin@lemmy.ml to c/asklemmy@lemmy.ml

So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose "any authenticator" and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it's demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?

(page 2) 50 comments
sorted by: hot top controversial new old
[-] Martin@lemmy.ml 8 points 6 months ago

Thanks people, some good replies here. I could demand a work phone, but that's impractical, dragging around two phones etc. I'd like all my 2FA in Aegis and not have to think and pick the right app first, let alone pick and unlock the right phone. The Shelter option is very nice, didn't know about that. If my company won't budge I'm doing that. When push comes to shove I could even use outlook that way on my phone.

load more comments (1 replies)
[-] wuphysics87@lemmy.ml 7 points 6 months ago

Declare yourself a member of The Church of Emacs and claim your religious rights are being violated.

[-] nexussapphire@lemm.ee 7 points 6 months ago

Get a used /cheap phone or tablet, only turn it on or enable wifi when you need the app. Don't use it for anything else. I think that covers all the bases.

[-] Brkdncr@lemmy.world 6 points 6 months ago

While it’s not technically safer, MS does make it a lot easier to set policy’s where you check a box for MSAuth.

Since the config is less complex and easier, it’s demonstratably safer to implement it this way.

load more comments (1 replies)
[-] DudeImMacGyver@sh.itjust.works 6 points 6 months ago

If you're in the US, that could very well get you fired in any "at will employment" state. It's shitty, fucked up, and should be illegal, but the legislators seem to represent wealthy corporations way more than they represent their human constituents (GOP especially).

[-] Honytawk@lemmy.zip 6 points 6 months ago

You can just use FreeOTP

My company has the same policy

[-] Appoxo@lemmy.dbzer0.com 6 points 6 months ago

I managed to get around the MS auth app and am using aegis right now.

[-] ericthemighty@lemmy.world 5 points 6 months ago

We let anyone use any authentication app. The Microsoft one is the best one. I'm pushing to make us exclusive because I'm sick of the IT support guys trying to support a dozen apps. You don't have to use your Microsoft account provided to use the app or back up your credentials.

[-] Saik0Shinigami@lemmy.saik0.com 5 points 6 months ago

I’m pushing to make us exclusive because I’m sick of the IT support guys trying to support a dozen apps.

While I understand this... Why not just refuse to support and NOT remove the capability for all those who don't need support and work just fine with their own? It's not like TOTP isn't a solved problem at this point.

Eg. "we only support MS auth, If you choose to use your own you will not receive any company support."

[-] Crashumbc@lemmy.world 5 points 6 months ago

Because that shit only works in fantasy land. If you can use it, employees WILL expect support and will repeatedly raise hell if they don't get it. Is a losing battle.

load more comments (2 replies)
load more comments (8 replies)
[-] fouloleron@lemmy.world 5 points 6 months ago

Authentication methods in Entra ID (which is presumably what we are talking about as the identity provider) include Microsoft Authenticator and software otp.

Authenticator is push authentication, as described elsewhere here. If for some reason you're not getting push notifications, you can use an OTP code instead, but this still requires that you have push authentication configured in Microsoft Authenticator.

You can only use Software OTP in other applications if your administrator has explicitly allowed use of Software OTP as an authentication method, and also excluded you from being required to use Authenticatior - otherwise Authenticatior would always 'win' as choice of mechanisms because it is more secure.

Several states in the USA require that employees who are made to use their personal phone for business purposes be compensated. The enforcement method and process for requesting same is naturally very obscure.

[-] Croquette@sh.itjust.works 5 points 6 months ago

I used bluestack to emulate android and us MS Auth when I had no choice.

It's a waste of space, but it doesn't go on your phone at least

[-] metawish@lemmy.ml 5 points 6 months ago

Lots of great conversation here, I also work somewhere where this is required. If I didn't need my phone for access to chat, I just wouldn't use it for work. Alternatively, my phone has a work profile so I use that for any work related or non-FOSS apps. My IT guy even approved of my methods and said do the minimum and never more with tech.

[-] Scary_le_Poo@beehaw.org 5 points 6 months ago

Grab the shelter app from f Droid, add the Play store in shelter, move over to the work side Play store and install the authenticator.

Pause your work apps except for when you need to use the authenticator.

Prosper???

load more comments (1 replies)
[-] ZWQbpkzl@hexbear.net 5 points 6 months ago

If MS Authenticator still works with totp urls just like any other authenticator then you can just use some open source authenticator. Some password managers even have one built it.

[-] Amanduh@lemm.ee 4 points 6 months ago

You can't just have microsoft text you a code? That's what I do

load more comments (11 replies)
[-] sovietknuckles@hexbear.net 4 points 6 months ago* (last edited 6 months ago)

Your employer might use MS Authenticator but still let you do call or SMS 2FA. If you use a VOIP number, it won't be vulnerable to SIM card swapping attacks.

[-] stoy@lemmy.zip 4 points 6 months ago

SMS auth is going away, it is not considered secure in the last few environments I have worked in

[-] sovietknuckles@hexbear.net 4 points 6 months ago* (last edited 6 months ago)

SMS auth is going away,

OP is looking for an alternative to MS Authenticator. If this works as an alternative temporarily, they may still consider it worth it.

[I]t is not considered secure in the last few environments I have worked in

Yes, SMS 2FA is usually not secure due being vulnerable to SIM card swapping attacks, that's why I explicitly recommended using a VOIP number, which would not be vulnerable to SIM card swapping attacks.

[-] mp3@lemmy.ca 4 points 6 months ago* (last edited 6 months ago)

You have the right not to use your personal hardware for work, and the employer must provide the necessary equipment to accomplish your job.

Ask if you could get a hardware token (ie: Yubikey Security Key) instead of using Microsoft Authenticator to fulfill the security requirements. It's low cost and doesn't require a subscription unlike a cellphone plan.

load more comments (3 replies)
[-] sunbeam60@lemmy.one 4 points 6 months ago

What is your concern about installing MS Authenticator.

I mean I can understand the principle of being forced to install anything on your phone.

But just stepping into the practical for a second: What do you worry will happen by installing this app to your phone?

load more comments (15 replies)
[-] Nomecks@lemmy.ca 4 points 6 months ago

If your company is enforcing geographic location as a security qualifier then MS Authenticator can poll your device. Also you can use push authentication with the MS suite.

load more comments (4 replies)
[-] Crisps@lemmy.world 4 points 6 months ago

At what point can you tax deduct your phone as a business expense?

load more comments
view more: ‹ prev next ›
this post was submitted on 30 May 2024
210 points (94.1% liked)

Asklemmy

43992 readers
590 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS