So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose "any authenticator" and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it's demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?

  • neidu2@feddit.nl
    ·
    edit-2
    5 months ago

    Can you claim that you don't have a smartphone? Then they'd either have to provide an alternative authentication method, or provide you with a phone.

    I've been part of the Microsoft Bad crowd for well over 25 years now, but there are a few things that I will concede that MS has done well. Authenticator is one of them. I haven't looked much into the privacy aspect of it, though.

    • Kairos@lemmy.today
      ·
      5 months ago

      Don't do that. Just say they will provide you with an authenticator paid for by them.

    • barrbaric [he/him]
      ·
      5 months ago

      I did this at my work and got a little dongle that displays a string of numbers I have to enter when prompted.

    • Fleppensteyn@feddit.nl
      ·
      5 months ago

      In my company at least, Aegis works for the first few logins, but it will keep nagging you have to switch to Microsoft's authenticator and you're locked out after a while.

      • ZWQbpkzl [none/use name]
        ·
        5 months ago

        How did know you're not using the MS Authenticator? Does the MS app phone home what logins your using?

  • ziby0405@lemmy.ml
    ·
    5 months ago

    ≥ and force Microsoft Authenticator on the (private) phones of both employees and volunteers.

    Refuse to use the service until they provide you with a work appointed phone. Volunteers admitedly have a more difficult time with that but as someone else said you can indeed do text/call options.

  • ZWQbpkzl [none/use name]
    ·
    5 months ago

    If MS Authenticator still works with totp urls just like any other authenticator then you can just use some open source authenticator. Some password managers even have one built it.

  • sovietknuckles [they/them]
    ·
    edit-2
    5 months ago

    Your employer might use MS Authenticator but still let you do call or SMS 2FA. If you use a VOIP number, it won't be vulnerable to SIM card swapping attacks.

    • stoy@lemmy.zip
      ·
      5 months ago

      SMS auth is going away, it is not considered secure in the last few environments I have worked in

      • sovietknuckles [they/them]
        ·
        edit-2
        5 months ago

        SMS auth is going away,

        OP is looking for an alternative to MS Authenticator. If this works as an alternative temporarily, they may still consider it worth it.

        [I]t is not considered secure in the last few environments I have worked in

        Yes, SMS 2FA is usually not secure due being vulnerable to SIM card swapping attacks, that's why I explicitly recommended using a VOIP number, which would not be vulnerable to SIM card swapping attacks.

  • Metawish@lemmy.ml
    ·
    5 months ago

    Lots of great conversation here, I also work somewhere where this is required. If I didn't need my phone for access to chat, I just wouldn't use it for work. Alternatively, my phone has a work profile so I use that for any work related or non-FOSS apps. My IT guy even approved of my methods and said do the minimum and never more with tech.

  • Martin@lemmy.ml
    hexagon
    ·
    5 months ago

    Thanks people, some good replies here. I could demand a work phone, but that's impractical, dragging around two phones etc. I'd like all my 2FA in Aegis and not have to think and pick the right app first, let alone pick and unlock the right phone. The Shelter option is very nice, didn't know about that. If my company won't budge I'm doing that. When push comes to shove I could even use outlook that way on my phone.

  • robber@lemmy.ml
    ·
    5 months ago

    Same problem here, my company requires 2FA for remote network access. MS Authenticator requires Google Services on Android which I don't have - so no home office for me I guess.

  • Satanic_Mills [comrade/them]
    ·
    edit-2
    5 months ago

    I'm in the same boat. Had to repurpose an old android device as a authenticator.

    Or you could use an android VM.

  • Tabitha ☢️[she/her]
    ·
    5 months ago

    I know Google has a way to "force" you to only use their app, and that's strictly enforced for personal MFAs (I haven't verified that recently), I didn't have that kind of trouble not using the MS one, but I'm not sure my org was as strict as yours on that "force MS" option.