So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose "any authenticator" and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it's demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
Can you claim that you don't have a smartphone? Then they'd either have to provide an alternative authentication method, or provide you with a phone.
I've been part of the Microsoft Bad crowd for well over 25 years now, but there are a few things that I will concede that MS has done well. Authenticator is one of them. I haven't looked much into the privacy aspect of it, though.
Don't do that. Just say they will provide you with an authenticator paid for by them.
I did this at my work and got a little dongle that displays a string of numbers I have to enter when prompted.
You can use Aegis and/or Yubico Authenticator instead, that's what I do.
In my company at least, Aegis works for the first few logins, but it will keep nagging you have to switch to Microsoft's authenticator and you're locked out after a while.
How did know you're not using the MS Authenticator? Does the MS app phone home what logins your using?
Apparently MS uses a "proprietary PhoneFactor 2FA solution" that Aegis doesn't support.
≥ and force Microsoft Authenticator on the (private) phones of both employees and volunteers.
Refuse to use the service until they provide you with a work appointed phone. Volunteers admitedly have a more difficult time with that but as someone else said you can indeed do text/call options.
a work appointed phone
With all the tracking that comes with it.
yes? use it solely for work purposes, at work, turn it off when you clock out...
your employer is not your friend.
I managed to get around the MS auth app and am using aegis right now.
If MS Authenticator still works with totp urls just like any other authenticator then you can just use some open source authenticator. Some password managers even have one built it.
Declare yourself a member of The Church of Emacs and claim your religious rights are being violated.
Your employer might use MS Authenticator but still let you do call or SMS 2FA. If you use a VOIP number, it won't be vulnerable to SIM card swapping attacks.
SMS auth is going away, it is not considered secure in the last few environments I have worked in
SMS auth is going away,
OP is looking for an alternative to MS Authenticator. If this works as an alternative temporarily, they may still consider it worth it.
[I]t is not considered secure in the last few environments I have worked in
Yes, SMS 2FA is usually not secure due being vulnerable to SIM card swapping attacks, that's why I explicitly recommended using a VOIP number, which would not be vulnerable to SIM card swapping attacks.
Lots of great conversation here, I also work somewhere where this is required. If I didn't need my phone for access to chat, I just wouldn't use it for work. Alternatively, my phone has a work profile so I use that for any work related or non-FOSS apps. My IT guy even approved of my methods and said do the minimum and never more with tech.
Thanks people, some good replies here. I could demand a work phone, but that's impractical, dragging around two phones etc. I'd like all my 2FA in Aegis and not have to think and pick the right app first, let alone pick and unlock the right phone. The Shelter option is very nice, didn't know about that. If my company won't budge I'm doing that. When push comes to shove I could even use outlook that way on my phone.
Same problem here, my company requires 2FA for remote network access. MS Authenticator requires Google Services on Android which I don't have - so no home office for me I guess.
I'm in the same boat. Had to repurpose an old android device as a authenticator.
Or you could use an android VM.
I know Google has a way to "force" you to only use their app, and that's strictly enforced for personal MFAs (I haven't verified that recently), I didn't have that kind of trouble not using the MS one, but I'm not sure my org was as strict as yours on that "force MS" option.
