So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
You cannot be forced to give your employer access to your property, so just say that you cannot install it on your phone. Make sure you say that it isn’t possible. You don’t have to make it sound voluntary. You can just say “I cannot install this on my phone”. Even if the reason is because you refuse to install it, it doesn’t matter, that’s your call to make with your own property.
Your employer will either need to find another solution that you can use, or they will need to issue you a company phone so that you can use the mobile software they require you to use.
I work in tech, and have had multiple employees claim they only have “dumb” phones for what I’m pretty sure is this exact reason. And I never blame them, just put the heat on IT to find a solution.
And the solution isn’t even hard, since it should be “OK, take one of these FIDO2 tokens we have in stock for cases like this”
Yes. FIDO2 keys are awesome.
Maintain a veil of separation between personal and business. Just say you can’t install it.
They must then provide you with needed hardware.
Just say you don’t have a smartphone…you have a flip phone…doesn’t matter.
And don’t fall for the argument that companies require ties also, they can require cell phones… Not at all same thing.
Just say you don’t have a smartphone…you have a flip phone…
Recently looked into this, pretty much 100% of currently-available flip phones are still smartphones under the hood, running either Android or KaiOS. And you can still install apps on these phones.
The only truly “dumb phone” appears to be the Rotary Un-Phone, or a vintage feature phone from the early 2000s that boots straight from ROM - instant-on, no visible boot process whatsoever.
Just ask whether they can provide a phone as well.
The whole point of MS Auth is that it tracks your location, so if you get a 2nd phone they still track you but you now carry around 2 phones.
I work for an MSP servicing 5k users all of whom I force to use M$ Auth app. Because it is the best Authenticator on the market, their company is paying for it, and because I look at the sign in logs for 3-4 different organizations every day to see literal hundreds of foreign sign-in attempts that fail due to M$ MFA. Yeah fuck monopolistic megacorps but understand when they provide an actual good product that is safe to use and actively protects you as an individual better than anything else out there.
All that said, the most likely reason is that they don’t want to make a document explaining how to set up MFA for each of the dozen+ apps out there and they certainly don’t want to talk to users who don’t know what they are doing with which ever app their kid set up for them
I’m sure you know what you’re doing better than 80% of the other employees in your office in this regard but I can tell you from experience, when one person gets their way, everyone wants theirs too.
You left out two things:
- It doesn’t change anything for the company if they allow the normal TOTP protocol in MS Authenticator. People who don’t care will use it. People who care can use other authenticator apps.
- The reason companies insist on MS Authenticator is because it reports the employee’s location.
-
It doesn’t change anything for the company with exception to billable IT time used when the authenticator confuses users which is already high with only one authenticator.
-
It doesn’t report location, Entra login reports location regardless of authentication method used.
- Why should users care about the company’s billables, first of all. Secondly, it’s a red herring because there’s nothing compelling them to offer support for 3rd party authenticators or even mention them. It’s just a flip switch in the settings. Savvy users will try a 3rd party first anyway.
- Potayto, potato. The location info comes from and including Authenticator. What is the point of fetching location in a TOTP generator if not to check up on it?
-
The company makes the rules under which you are employed. If you don’t like it, legislate against it or find another employer. Also, like I said, there are no 3rd party authenticators that are more secure with entra ID.
-
Like I said, M$ auth literally does not report location while authenticating. It only pulls location requests when signing in through the app to create the authentication token and even then it is not a requirement. Entra pulls location using your IP address on the device you are signing in with.
-
-
I don’t really get the rub here, JM all for separating work devices and personal devices but the 2fa apps don’t leak any info and the company can’t “do” anything to your phone remotely. The apps work in air plane mode. I also want to bet more than half the users that complain about this use the companies free WiFi.
Get a flip phone and say you can’t install it, however SMS 2fa is very insecure.
The apps work in air plane mode
They’re talking about Microsoft Authenticator, not any MFA. It doesn’t work on airplane mode if they require number matching.
also want to bet more than half the users that complain about this use the companies free WiFi.
…and? The wifi isn’t installed on their phone, the fuck does that matter?
Get a used /cheap phone or tablet, only turn it on or enable wifi when you need the app. Don’t use it for anything else. I think that covers all the bases.
Grab the shelter app from f Droid, add the Play store in shelter, move over to the work side Play store and install the authenticator.
Pause your work apps except for when you need to use the authenticator.
Prosper???
Alternatively, in a similar fashion. Use “hail” to auto pause any app you want so they don’t run in the background unintended.
You’re wasting your life trying to fight battles you don’t even understand.
Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
Thanks for the input?
There’s no “battle” here. It’s their phone, end of discussion. They don’t need to justify to you or anyone what they do and do not want on it.
What you don’t understand is that a worker does not need your permission or approval to exercise their right to control their personal property, and that right far exceeds any concerns about how easy the IT admin’s job is.
Or is this a battle I can pick to shield my self from ms
Read the post before coming to the comments to reply.
OP is asking on here about whether or not to pick this battle and fight his company over it. Yes, you are probably technically correct that a company can’t force you to install an authenticator app on your phone. However, that is a battle that you will have to fight with them that will accomplish essentially nothing if you win.
In Canada right now there is a major auto manufacturer that is being sued by the union over this very issue. It is a years long legal case that had to be escalated through the union, it’s lawyers ,and now arbitration. Does that not sound like a battle to you?
If you’re in the US, that could very well get you fired in any “at will employment” state. It’s shitty, fucked up, and should be illegal, but the legislators seem to represent wealthy corporations way more than they represent their human constituents (GOP especially).
We let anyone use any authentication app. The Microsoft one is the best one. I’m pushing to make us exclusive because I’m sick of the IT support guys trying to support a dozen apps. You don’t have to use your Microsoft account provided to use the app or back up your credentials.
I’m pushing to make us exclusive because I’m sick of the IT support guys trying to support a dozen apps.
While I understand this… Why not just refuse to support and NOT remove the capability for all those who don’t need support and work just fine with their own? It’s not like TOTP isn’t a solved problem at this point.
Eg. “we only support MS auth, If you choose to use your own you will not receive any company support.”
Because that shit only works in fantasy land. If you can use it, employees WILL expect support and will repeatedly raise hell if they don’t get it. Is a losing battle.
The option to use TOTP is already well hidden. It’s not like someone who does not know what he is looking for and uses an Authenticator already will accidentally select it.
Because that shit only works in fantasy land.
Glad to know my company, and the companies I contract for are fantasy land then.
employees WILL expect support
And they will get it if they use the company default options.
Nothing about this is losing. I’m CIO for 3 separate companies (2 by contract). None of them have issues with this type of policy. We do bare minimum to not limit the toolset they can use and support a specific set of tools that we like the best. That’s it. Those who are smart enough to use their own tools clearly know enough about IT to make good decisions that we can trust. The rest use the default tools… and we support those tools explicitly.
More importantly, we’re not shitting on those who ARE making good decisions overall, but just have a preference. That makes the employees feel heard and keeps them happy. Keeping them happier keeps everyone more productive.
As a security enthusiast, please also push for allowing physical security keys. They are awesome.
As a cryptography nerd, +100000 to that
Upvote for providing an explanation, though I personally favour employee freedom.
Is Microsoft Authenticator available on Linux?
Ms auth is a mobile only application. Not even available on windows or macOS. The point of it is to provide a second factor of authentication in the for of “something you have”. There are a few factors that can be used for authentication. Something you know (password), something you have (hardware like a key or a phone), and something you are (iris scan, DNA, fingerprint, other biometric). Ms auth uses something you have and something you are to authenticate most users. You provide a password and then you prove you have your cellphone and your cellphone checks your biometrics to see if you are you. In that way, it is effectively checking all 3 factors.
Why couldn’t “laptop” be a second factor?
It is using windows hello on compatible machines and through persistent tokens on Mac and Windows machines not compatible with hello. You have to create that token with a known factor such as a mobile device but outside of that, users almost never have to sign in with persistent tokens.
It’s on Android, but
I meant more generally
You can just use FreeOTP
My company has the same policy
Lots of great conversation here, I also work somewhere where this is required. If I didn’t need my phone for access to chat, I just wouldn’t use it for work. Alternatively, my phone has a work profile so I use that for any work related or non-FOSS apps. My IT guy even approved of my methods and said do the minimum and never more with tech.
You can’t just have microsoft text you a code? That’s what I do
SMS is woefully insecure.
Wish I gave a shit. I don’t own the company so fuck it
You might not own the company but do you like job hunting, the prospect of having the stigma of being the guy who caused a breach following you around, or screwing over your coworkers’. Noone is an island.
Lol what are you talking about ? Stigma ,screwing over coworkers ? Lol dude you need to relax and get out of your room, make friends and hangout with them. It looks like you have made work ,your friend. Take my advice yea, all 9-5s are just a number including you hence you have an employee number. Do your 9-5 and go home yea. Don’t get too involved coz 9-5s are easily replaceable.
Weird seeming personal attack there. In case it is defensiveness from a perceived attack from myself, that’s not what was intended. My intent was to point out the potential consequences of viewing it in such a seemingly myopic way.
-
Job hunting and stigma: If one’s accounts are found to be the cause of a breach, and it is found to be due to negligence, there’s a good chance of that resulting in a firing. Being fired due to security-related negligence is likely to make it a challenge to get past screening when hunting for a job (that’s what I mean by stigma). And finally, job hunting fucking sucks, in my opinion.
-
Screwing over co-workers: You don’t have to be friends to care about how your action or inaction impacts others. Being the cause of a breach has a real possibility of getting people laid off, if the scope is significant. Maybe less of a big deal if you’re in most countries outside of the US but, here, the ramifications are pretty substantial. For example, I work with several people who are undergoing chemotherapy or who have spouses needing medical care. If laid off, health insurance evaporates and now they literally cannot afford the treatments necessary to live. Others have mortgages or rent to pay. Execs are not even going to entertain the idea of taking on the responsibility that is claimed to be the reason for their absurd pay.
Yes, it is healthy to set boundaries between your work life and personal life and to leave work at work. But, like I said, noone is an island, our actions in our work life can have profound impacts on others.
WoW! You actually need help. Its not an attack, i genuinely feel like there’s something wrong with you and you should see a therapist so that you can understand , accept and acknowledge the issue.
Are you autistic by any chance ? I feel like you have made “work” the purpose of your life. Like without cybersecurity, there’s no purpose in life.
I wish I could help you but I am no exoert. Please go see a therapist, please.
Are you autistic by any chance ? … Please go see a therapist, please.
Actually, quite likely on the spectrum and diagnosed with ADHD (this is a major contributor to my verbosity, so apologies if it comes across as a big rant). I do have a therapist indeed and have found it very helpful - highly recommend it if you’re in need. Not sure why this is relevant.
Maybe we’re hitting a bit of an “impedence mismatch” here. I suspect, partly as you’re coming through from an Aussie instance that it may be partly due to a lack of context on how fucked things are, labor-wise in the States. Healthcare here is tied to one’s employment, intentionally. It is technically possible to get insurance through a public exchange but, practically speaking, it’s not going to do much, especially if one has chronic or severe health problems. Also, we have very poor protections against firings and layoffs (most US labor contracts are pretty well one-sided).
Is work the purpose of my life? Fuck no. I have, however, been repeatedly screwed over, job-wise, by things outside of my control (Recession, offshoring, mergers, untreated ADHD). It is pretty awful, if you haven’t yourself, I recommend giving the experience a pass. This has made me acutely aware of the impact that my actions can have on others, not just the immediate but also the secondary and tertiary impacts. I’m also the primary income for my household, so, that rather raises the stakes a bit.
Put these things together with the fact that I now have have coworkers who will literally die without medical care (insurance through work - so cancer patients have to have a job or a spouse with great coverage) and it should paint a good picture for someone with a healthy dose of empathy. Because of how labor is structured in the US, screwing up in a manner that has a big impact on the company means that I could be killing someone indirectly. Should that kind of thing be an employee’s responsibility? No. But that’s the reality of it. Actions have consequences within the system that one operates in, fair or not.
As for cybersecurity, somewhat fair. I’m not fixated on it but do definitely have a more significant interest than most. With the overall increase in cyberattacks on companies, states, and individuals, I’d recommend everyone being more security conscious.
-
If the company cared, they would provide MFA hardware like Yubikeys to their employees.
True. App-based is a bit more secure than SMS but nothing beats hardware.
Oh, well they let us do it at work so idk
That’s the solution I picked at work. Refused to install that Microsoft software on my personal phone, but instead provided a phone number.
If you have a VoIP provider you could even try to the VoIP number for MFA instead of providing your real mobile number.
If IT make a comment about you not having the app, ask if they intend to provide a company device for that.
we have o365 and while i do have the authenticator, you should also be able to add a phone number or email address for text/email codes instead of the authenticator (i know my coworker doesn’t have the authenticator but gets codes to her sms)
If you don’t care about the money you get paid every fortnight then go ahead. Nobody cares! For employers , you are just a number and for you ,employer is the means to get paid.
If you don’t need the money then fuck it.
