So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
You have the right not to use your personal hardware for work, and the employer must provide the necessary equipment to accomplish your job.
Ask if you could get a hardware token (ie: Yubikey Security Key) instead of using Microsoft Authenticator to fulfill the security requirements. It’s low cost and doesn’t require a subscription unlike a cellphone plan.
You have the right not to use your personal hardware for work, and the employer must provide the necessary equipment to accomplish your job.
Reputable Source?
At least in Quebec:
Employers’ Responsibilities Towards
These are the main ones:- Employers must give their employees a place to work and make sure they have access to it. They must give them the tools, equipment and other things they need to do their work.
https://educaloi.qc.ca/en/capsules/rights-and-responsibilities-of-employers-and-employees/
we have o365 and while i do have the authenticator, you should also be able to add a phone number or email address for text/email codes instead of the authenticator (i know my coworker doesn’t have the authenticator but gets codes to her sms)
We let anyone use any authentication app. The Microsoft one is the best one. I’m pushing to make us exclusive because I’m sick of the IT support guys trying to support a dozen apps. You don’t have to use your Microsoft account provided to use the app or back up your credentials.
As a security enthusiast, please also push for allowing physical security keys. They are awesome.
As a cryptography nerd, +100000 to that
I’m pushing to make us exclusive because I’m sick of the IT support guys trying to support a dozen apps.
While I understand this… Why not just refuse to support and NOT remove the capability for all those who don’t need support and work just fine with their own? It’s not like TOTP isn’t a solved problem at this point.
Eg. “we only support MS auth, If you choose to use your own you will not receive any company support.”
Because that shit only works in fantasy land. If you can use it, employees WILL expect support and will repeatedly raise hell if they don’t get it. Is a losing battle.
The option to use TOTP is already well hidden. It’s not like someone who does not know what he is looking for and uses an Authenticator already will accidentally select it.
Because that shit only works in fantasy land.
Glad to know my company, and the companies I contract for are fantasy land then.
employees WILL expect support
And they will get it if they use the company default options.
Nothing about this is losing. I’m CIO for 3 separate companies (2 by contract). None of them have issues with this type of policy. We do bare minimum to not limit the toolset they can use and support a specific set of tools that we like the best. That’s it. Those who are smart enough to use their own tools clearly know enough about IT to make good decisions that we can trust. The rest use the default tools… and we support those tools explicitly.
More importantly, we’re not shitting on those who ARE making good decisions overall, but just have a preference. That makes the employees feel heard and keeps them happy. Keeping them happier keeps everyone more productive.
Upvote for providing an explanation, though I personally favour employee freedom.
Is Microsoft Authenticator available on Linux?
It’s on Android, but
Ms auth is a mobile only application. Not even available on windows or macOS. The point of it is to provide a second factor of authentication in the for of “something you have”. There are a few factors that can be used for authentication. Something you know (password), something you have (hardware like a key or a phone), and something you are (iris scan, DNA, fingerprint, other biometric). Ms auth uses something you have and something you are to authenticate most users. You provide a password and then you prove you have your cellphone and your cellphone checks your biometrics to see if you are you. In that way, it is effectively checking all 3 factors.
Why couldn’t “laptop” be a second factor?
Everyone at my job who refused this and caused a huge stink are the ones that are seemingly not around about a year and half later. Not saying you aren’t right or anything but I put the stupid app on my phone.
I put the stupid app on my phone.
Never use your own personal phone for work related stuff.
If they want you to use a phone-based app, ask them to help you install it, then bring in an early-2000s feature phone that boots straight from ROM, no Android or KaiOS under the hood.
As in, force the company to get you a company phone.
I have no union and no leverage, they said no. What am I going to do, quit over using an app? My job pays my bills and I don’t have another one lined up, this isn’t the hill I’d die on.
What am I going to do, quit over using an app?
Why quit?
Ask them for help installing the app.
Then bring in an early-2000s flip phone with your SIM already in it, so you can prove that you are using it.
An employer cannot demand that you buy your own work tools unless it is written into the employment contract (auto mechanics, etc.). Provide them with a phone that they themselves cannot install the app on. Any early-2000s feature phone will not have an operating system with app functionality. An older but still smartphone-like BlackBerry running BBOS10 will also work in this regard, especially if you have uninstalled the Amazon App Store.
Even an Android phone whose newest possible version of Android pre-dates the oldest version that this app will install on can also work. For example, any Android phone which cannot be upgraded past Android 7 would be perfect with respect to MS Authenticator, as the current version will only install on Android 8 or newer. If you bring in a phone that has no ability to have Android 8 or later installed, your place of work will either have to exempt you or provide you with a work phone for that app.
You have solutions to keep work apps off of your personal devices, and few employers will have the legal ability to force you to buy a modern phone just for an app of their choosing. Moreover, it is your right to not have to suffer unreasonable employer demands just to have a job. That’s why worker protections exist in places where conservatives haven’t eviscerated those protections.
Act like you are a smartphone-phobe, and let them figure things out.
Yeah, again I never said you were wrong, just not the hill I’d die on for 40 dollars worth of compensation, If I were going to agitate and apply pressure at work it would be for a significant compensation boost to the tune of tens of thousands of dollars. This won’t work for me as I’m in an senior level engineering position.
You do what you think you need to do, buuuuuut…
I’m in a senior level engineering position.
You are already exceedingly difficult to trivially replace. It’s entry-level devs which are a dime a dozen. Senior level engineering positions are frequently open for many months because candidates in general are difficult to find, much less good candidates.
Colour me biased, but I strongly think you are significantly underselling your own power and influence. Any company worth working for isn’t going to turf a senior engineer over a $40 stipend unless their middle manglement positions are staffed with morons.
Well, it’s your calculus to make, not mine.
Contact a lawyer that specialize in worker rights. If they make you use private property for work they should compensate you
You don’t live in reality if you think anyone is going to retain a labor lawyer and sue their employer over using an authenticator app without a phone stipend.
It doesn’t usually need to go to court if the lawyer can remind them of what laws they’re breaking
Never use your own personal phone for work related stuff.
As someone who does this, my main issue is now I am carrying around two phones. This is a daily annoyance for me.
My next round I think I am going to drop the work phone and use Androids profile options. Setup a work profile on my personal phone and just use that. Then just have work reimburse me for my personal phone/plan.
Just ask whether they can provide a phone as well.
The whole point of MS Auth is that it tracks your location, so if you get a 2nd phone they still track you but you now carry around 2 phones.
You can just use FreeOTP
My company has the same policy
For 2FA? You can use any 2FA just make backups
The post says that the admins disabled the use of all others.
What is your concern about installing MS Authenticator.
I mean I can understand the principle of being forced to install anything on your phone.
But just stepping into the practical for a second: What do you worry will happen by installing this app to your phone?
AFAIK on Android it has a hard dependency on Google services. I don’t mind installing proprietary stuff to my work profile for the express purposes of work but that requires modifying my system to accommodate this specific app and that’s a step too far for my personal device. So I use a free software option (Aegis) instead.
edit: if for some reason I really did need MS Authenticator and not any old TOTP app, I would procure a googled device specifically for work rather than install google or microG into my personal device.
200 MB of wasted personal disk space just so you can log in to a work account
Ok, but most workplaces require some form of apps installed for access, shared documents etc.
How many would install Figma, Office, Expensify, Jira, Confluence or a whole other raft of work apps if it wasn’t for work?
I mean, sure, it’s annoying but is MS Authenticator really the hill people want to die on?
Yeah but you install that stuff on your work computer. If my job requires me to use an authenticator on a non-work phone, then at least let me use the one I’m already using.
It tracks your location.
Not really. It checks your location when you authenticate. It doesn’t store the location.
I’m not concerned per se and I definitely applaud the MFA requirement. I mean I hate MS and don’t like apps I don’t need, and I don’t trust them, but as others pointed out this would mostly just be whiny. That’s why I asked for reasons why restricting users to MS Authenticator would be preferable. If it’s more secure or technically way easier and thus cheaper to maintain then fine, I’ll find an acceptable way to comply. If not, then it’s them who are whiny and I’d rather make the case to let us use whatever authenticator we already have installed.
I’m guessing they never mentioned that it tracks your location? That’s why they insist on using it not any of the other bullshit.
reasons why restricting users to MS Authenticator would be preferable
As a security professional:
- Under most situations, it is equally as good as any other 2FA app.
- Within the Microsoft ecosystem, it provides additional security features above and beyond simple 2FA.
If your workplace is leaning heavily on the Microsoft ecosystem, especially their cloud offerings like Azure, then restricting employees to the Microsoft app is a no-brainer, and actually quite reasonable.
For example, if they happen to have a hybrid domain with an on-prem domain controller syncing with Azure (forgive me for using obsolete terms, I’m a greybeard), then they can control all access to all company assets, including 2FA. If an employee leaves the company, they can also disable the Microsoft app at a moment’s notice by disabling the employee’s Microsoft account. Because everything is hooked into Azure, it sends push notifications down to all company assets - like the Microsoft 2FA app - to unhook all of the company’s credentials and prevent employee access after the fact.
You cannot do this with other 2FA apps.
This is disingenuous though… You can simply reset the TOTP seed on any account to achieve the same operation. We use AuthLite on a local domain… I can disable an account domain-wide by simply resetting the TOTP seed or disabling the account. Using an Azure domain and MS app doesn’t add any value in that regards. All of the online office stuff can be linked onto a local domain as well and would also be disabled.
You don’t even need to disable an ex-employee’s ability to generate TOTP codes… Once the account is disabled what use are the codes?
But MS Authenticator isn’t a normal 6-digit Authenticator; it scans your Face ID (or finger print) and in many cases (like my work) it can be support password less accounts (relying only on something you have and something you are).
And in regard to your point that you don’t want to install apps you don’t need, it sounds like you do in fact need this app.
🤷♀️
Maintain a veil of separation between personal and business. Just say you can’t install it.
They must then provide you with needed hardware.
Just say you don’t have a smartphone…you have a flip phone…doesn’t matter.
And don’t fall for the argument that companies require ties also, they can require cell phones… Not at all same thing.
Just say you don’t have a smartphone…you have a flip phone…
Recently looked into this, pretty much 100% of currently-available flip phones are still smartphones under the hood, running either Android or KaiOS. And you can still install apps on these phones.
The only truly “dumb phone” appears to be the Rotary Un-Phone, or a vintage feature phone from the early 2000s that boots straight from ROM - instant-on, no visible boot process whatsoever.
…it won’t let me edit my other comment but I wanted to add that YES using MFA is demonstratively far more safe than any password you can set.
With a multi factor enabled you could literally give your password out and people could not access your account without being able to complete that second layer of security.
He said he wants to use mfa, but a normal generated token instead of the Microsoft one.
During the enrollment you can tap on the option to use another method and have it send you a text code instead of using the app.
SMS is inherently insecure as a MFA, consider using aegis for your TOTP codes instead.
Not if the company has disabled sms for mfa as they should have.
If MS Authenticator still works with totp urls just like any other authenticator then you can just use some open source authenticator. Some password managers even have one built it.
You’re wasting your life trying to fight battles you don’t even understand.
There’s no “battle” here. It’s their phone, end of discussion. They don’t need to justify to you or anyone what they do and do not want on it.
What you don’t understand is that a worker does not need your permission or approval to exercise their right to control their personal property, and that right far exceeds any concerns about how easy the IT admin’s job is.
Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
Thanks for the input?
At what point can you tax deduct your phone as a business expense?
If your company is enforcing geographic location as a security qualifier then MS Authenticator can poll your device. Also you can use push authentication with the MS suite.
It’s done by IP address not phone or laptop GPS.
I just got it enabled and it most definitely wants your location. It has to poll my device’s location once an hour by my work’s policy.
That might be an optional requirement which can be set by the admins. On my phone (Android) I have disabled location permissions for the MS Authenticator app. I have no issues logging in. I also regularly have to deal with alerts for users with improbable geographic logins, because they have a VPN on their phone. So, they login from their PC from one location and then their phone logs into Azure from the other side of the planet moments later.
