So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
MS authenticator has a bunch of security features that make it better.
From a technical standpoint, it’s possible to bring those same features to independent software implementations, but nothing of the sort has been implemented yet. Best we have is cross device passkeys.
TOTP has serious flaws if you need strict security (easily phished, for instance) so a company can have good reasons for not trusting it. However, they can fuck off if they want to try to force that shit onto my personal device.
How would MS Authenticator make it any better than TOTP?
To break TOTP, the attacker would need to:
a) be able to observe the initial exchange of the TOTP secrets. To do that, the attacker needs access to the victim’s computer (on user level) at that specific time they set up TOTP. TOTP is a TOFU concept and thus not designed to protect against that. However, if the attacker controls the victim’s computer at that time, the victim is screwed anyways even before setting up 2FA.
b) have access to the TOTP app’s secret storage and to the victim’s login credentials (e.g. by phishing). If the attacker can gain that level of access, they would also have access to the Microsoft Authenticator’s secret storage, so there is no benefit of the Microsoft app.
On the other hand, Microsoft Authenticator is a very huge app (>100MB is huge for an authenticator app, Aegis is just 6MB, FreeOTP+ 11MB), i.e. it brings a large attack surface, especially by connecting to the internet.
I don’t think Microsoft Authenticator brings security benefits over a clean and simple TOTP implementation.
To break TOTP, the attacker would need to have the victim open up a phishing page. If someone enters their password at fakegoogle.com, they’ll also enter their TOTP tokens. TOTP only protects against your password leaking.
Microsoft Authenticator has a bunch of security checks, like checking if your device is in the same physical vicinity.
The current iteration of the app is moving to leveraging passkeys, something not just Microsoft can do. For businesses, there are still good reasons to use MS authenticator passkeys (control over policies like requiring passkey devices with certain security updates), but in practice I find a lot of 2FA passkey implementations sorely lacking at the moment. Scanning a QR code on your phone is annoying, even if it is phishing resistant.