So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
To break TOTP, the attacker would need to have the victim open up a phishing page. If someone enters their password at fakegoogle.com, they’ll also enter their TOTP tokens. TOTP only protects against your password leaking.
Microsoft Authenticator has a bunch of security checks, like checking if your device is in the same physical vicinity.
The current iteration of the app is moving to leveraging passkeys, something not just Microsoft can do. For businesses, there are still good reasons to use MS authenticator passkeys (control over policies like requiring passkey devices with certain security updates), but in practice I find a lot of 2FA passkey implementations sorely lacking at the moment. Scanning a QR code on your phone is annoying, even if it is phishing resistant.