this post was submitted on 30 May 2024
210 points (94.1% liked)

Asklemmy

43984 readers
786 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy πŸ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
 

So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose "any authenticator" and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it's demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?

top 50 comments
sorted by: hot top controversial new old
[–] sylver_dragon@lemmy.world 123 points 6 months ago (9 children)

I work in cybersecurity for a large company, which also uses the MS Authenticator app on personal phones (I have it on mine). I do get the whole "Microsoft bad" knee-jerk reaction. I'm typing this from my personal system, running Arch Linux after accepting the difficulties of gaming on Linux because I sure as fuck don't want to deal with Microsoft's crap in Windows 11. That said, I think you're picking the wrong hill to die on here.

In this day and age, Two Factor Authentication (2FA) is part of Security 101. So, you're going to be asked to do something to have 2FA working on your account. And oddly enough, one of the reasons that the company is asking you to install it on your own phone is that many people really hate fiddling with multiple phones (that's the real alternative). There was a time, not all that long ago, where people were screaming for more BYOD. Now that it can be done reasonably securely, companies have gone "all in" on it. It's much cheaper and easier than a lot of the alternatives. I'd love to convince my company to switch over to Yubikeys or the like. As good as push authentication is, it is still vulnerable to social engineering and notification exhaustion attacks. But, like everything in security, it's a trade off between convenience, cost and security. So, that higher level of security is only used for accessing secure enclaves where highly sensitive data is kept.

As for the "why do they pick only this app", it's likely some combination of picking a perceived more secure option and "picking the easiest path". For all the shit Microsoft gets (and they deserve a lot of it), the authenticator app is actually one of the better things they have done. SMS and apps like Duo or other Time based One Time Password (TOTP) solutions, can be ok for 2FA. But, they have a well known weakness around social engineering. And while Microsoft's "type this number" system is only marginally better, it creates one more hurdle for the attacker to get over with the user. As a network defender, the biggest vulnerability we deal with is the interface between the chair and the keyboard. The network would be so much more secure if I could just get rid of all the damned users. But, management insists on letting people actually use their computers, so we need to find a balance where users have as many chances as is practical to remember us saying "IT will never ask you to do this!" And that extra step of typing in the number from the screen is putting one more roadblock in the way of people just blinding giving up their credentials. It's a more active thing for the user to do and may mean they turn their critical thinking skills on just long enough to stop the attack. I will agree that this is a dubious justification, but network defenders really are in a state of throwing anything they can at this problem.

Along with that extra security step, there's probably a bit of laziness involved in picking the Microsoft option. Your company picked O365 for productivity software. While yes, "Microsoft bad" the fact is they won the productivity suite war long, long ago. Management won't give a shit about some sort of ideological rejection of Microsoft. As much as some groups may dislike it, the world runs on Microsoft Office. And Microsoft is the king of making IT's job a lot easier if IT just picks "the Microsoft way". This is at the heart of Extend, Embrace, Extinguish. Once a company picks Microsoft for anything, it becomes much easier to just pick Microsoft for everything. While I haven't personally set up O365 authentication, I'm willing to bet that this is also the case here. Microsoft wants IT teams to pick Microsoft and will make their UIs even worse for IT teams trying to pick "not Microsoft". From the perspective of IT, you wanting to do something else creates extra work for them. If your justification is "Microsoft bad", they are going to tell you to go get fucked. Sure, some of them might agree with you. I spent more than a decade as a Windows sysadmin and even I hate Microsoft. But being asked to stand up and support a whole bunch because of shit for one user's unwillingness to use a Microsoft app, that's gonna be a "no". You're going to need a real business justification to go with that.

That takes us to the privacy question. And I'll admit I don't have solid answers here. On Android, the app asks for permissions to "Camera", "Files and Media" and "Location". I personally have all three of these set to "Do Not Allow". I've not had any issues with the authentication working; so, I suspect none of these permissions are actually required. I have no idea what the iOS version of the app requires. So, YMMV. With no other permissions, the ability of the app to spy on me is pretty limited. Sure, it might have some sooper sekret squirrel stuff buried in it. But, if that is your threat model, and you are not an activist in an authoritarian country or a journalist, you really need to get some perspective. No one, not even Microsoft is trying that hard to figure out the porn you are watching on your phone. Microsoft tracking where you log in to your work from is not all that important of information. And it's really darned useful for cyber security teams trying to keep attackers out of the network.

So ya, this is really not a battle worth picking. It may be that they have picked this app simply because "no one ever got fired for picking Microsoft". But, you are also trying to fight IT simplifying their processes for no real reason. The impetus isn't really on IT to demonstrate why they picked this app. It is a secure way to do 2FA and they likely have a lot of time, effort and money wrapped up in supporting this solution. But, you want to be a special snowflake because "Microsoft bad". Ya, fuck right off with that shit. Unless you are going to take the time to reverse engineer the app and show why the company shouldn't pick it, you're just being a whiny pain in the arse. Install the app, remove it's permissions and move on with life. Or, throw a fit and have the joys of dealing with two phones. Trust me, after a year or so of that, the MS Authenticator app on your personal phone will feel like a hell of a lot better idea.

[–] IHawkMike@lemmy.world 17 points 6 months ago (4 children)

This is incredibly well said and I agree 100%. I'll just add that software TOTP is weaker than the MS Authenticator with number matching because the TOTP seed can still be intercepted and/or stolen by an attacker.

Ever notice that TOTP can be backed up and restored to a new device? If it can be transferred, then the device no longer counts for the "something you have" second factor in my threat model.

While I prefer pure phishing-resistant MFA methods (FIDO2, WHFB, or CBA), the support isn't quite there yet for mobile devices (especially mobile browsers) so the MS Authenticator is the best alternative we have.

load more comments (4 replies)
[–] deweydecibel@lemmy.world 10 points 6 months ago* (last edited 6 months ago) (2 children)

Unless you are going to take the time to reverse engineer the app and show why the company shouldn't pick it, you're just being a whiny pain in the arse.

You're god damn right they are, and they have every right to be. I'm in It too and I'm absolutely sick of the condescending attitude and downright laziness of people in the field who constantly act like what the users want doesn't matter. If they don't want it on their personal device, they don't need a damn reason.

This job is getting easier all the time, complaining because users don't want Microsoft trash on their phone might make marginally more work for you is exactly as whiny.

Or, throw a fit and have the joys of dealing with two phones. Trust me, after a year or so of that, the MS Authenticator app on your personal phone will feel like a hell of a lot better idea.

I see this all the time and it's downright hysterical. Who the hell can't handle having to have two devices on them?

"Oh yeah you'll regret asking for this! Just wait till you have to pull out that other thing in your bag occasionally! You'll be sorry you ever spoke up!"

Also, develop some pattern recognition. If you can't see how Microsoft makes this substantially worse once other methods have been choked out, you haven't learned a thing about them in the last 30 years.

[–] sylver_dragon@lemmy.world 14 points 6 months ago

You’re god damn right they are, and they have every right to be. I’m in It too and I’m absolutely sick of the condescending attitude and downright laziness of people in the field who constantly act like what the users want doesn’t matter. If they don’t want it on their personal device, they don’t need a damn reason.

Sure, and I suspect they company will have another option for folks who either can't or won't put the application on their personal device. It's probably also going to be far less convenient for the user. Demanding that the company implement the user's preferred option is where the problem arises.

complaining because users don’t want Microsoft trash on their phone might make marginally more work for you is exactly as whiny.

It's a matter of scale. In a company of any size, you are going to find someone who objects to almost anything. This user doesn't like Microsoft. Ok, let's implement Google. Oh wait, the user over there doesn't like Google. This will go on and on until the IT department is supporting lots of different applications and each one will have a non-zero cost in time and effort. And each of those "small things" has a way of adding up to a big headache for IT. We live in a world of finite resources, and IT departments are usually dealing with even more limited resources. At some point they have to be able to cut their losses and say, "here are the officially supported solutions, pick one". While this creates issues for individuals throughout the organization, it's usually small issues, spread out over lots of people versus lots of small issues concentrated in one group.

If you're in IT, you've likely seen (and probably supported) this sort of standardization in action. I can't count the number of places where every system is some flavor of Dell or HP. And the larger organizations usually have a couple of standard configurations around expected use case. You're an office worker, here's a basic laptop with 16Gb of RAM, and mid level CPU and fuck all for a GPU. Developer? Right, here's the top end CPU, as much RAM as we can stuff in the box and maybe a discreet GPU. AI/ML work? here's the login for AWS. Edge cases will get dealt with in a one-off fashion, there's always going to be the random Mac running around the network, but support will always be sketchy for those. It's all down to standardizing on a few, well known solutions to make support and troubleshooting easier. Sure, there are small shops out there willing to live with beige box deployments. Again, that does not scale.

I see this all the time and it’s downright hysterical. Who the hell can’t handle having to have two devices on them? β€œOh yeah you’ll regret asking for this! Just wait till you have to pull out that other thing in your bag occasionally! You’ll be sorry you ever spoke up!”

Hey, if that's your thing, great. But, there is a reason BYOD took off. And a lot of that was on users pushing for it. Having been on the implementation side, it certainly wasn't IT or security departments pushing for this. BYOD is still a goddamn nightmare from an insider threat perspective. And it causes no end of headaches for Help Desks trying to support FSM knows what ancient piece of crap someone dredges up from the depths of history. Yes, it's a bit of cop out to give the user a crappy solution, because they push back against the easy one. But, it's also a matter of trying to keep things working in a standardized fashion. A standard configuration phone, with the required pre-installed, gives the user the option they want and also keeps IT from having do deal with yet more non-standard systems. It's a win for everyone, even if it's not the win the user wanted.

Also, develop some pattern recognition. If you can’t see how Microsoft makes this substantially worse once other methods have been choked out, you haven’t learned a thing about them in the last 30 years.

I do understand how bad Microsoft can be. I was an early adopter of Windows Me. And also have memories of Microsoft whining about de-coupling IE from the OS. And I don't want MS to win out as the authentication app for everyone. That said, I still believe that the Microsoft Authenticator app on a personal device is the wrong hill to die on. There is a lot of non-Microsoft software out there and there are plenty of options out there. But, Microsoft software using the Microsoft app isn't surprising or insidious.

load more comments (1 replies)
[–] techingtenor@lemm.ee 10 points 6 months ago (1 children)

To add on, at my work we started getting yubikeys for the people who didnt want Microsoft's authenticator on their phone and found they still need to download the mfa to set up the yubikey in the first place. So its not a perfect solution if you dont want the authenticator to touch your phone at all.

I can also confirm that the help desk members who are not enlightened about Microsoft will ridicule you for not wanting the MFA even if its reasonable to not want Microsoft on your phone. As much as we think all techs are Linux nerds, I have the opposite at my work. Some of the higher up techs are constantly trying to get people to switch to windows 11...

load more comments (1 replies)
load more comments (6 replies)
[–] Diplomjodler3@lemmy.world 87 points 6 months ago (3 children)

No company has any right to force people to use their private phones for company purposes. I'd absolutely refuse to let them install anything whatsoever on my phone. If they want me to use a phone for work, they'll have to give me one.

[–] tdgoodman@lemmy.dbzer0.com 19 points 6 months ago (3 children)

Many work places require employees to bring their own tools (eg auto mechanic). Requiring a phone or tablet is probably legal.

[–] thesystemisdown@lemmy.world 11 points 6 months ago (11 children)

I think if that's the case, I'd get an inexpensive phone with a prepaid plan... and make it clear that it gets turned off if not on call or otherwise pre-arranged.

[–] deweydecibel@lemmy.world 9 points 6 months ago

This is what it's heading to eventually. This "authentication using a personal device that the IT department can't control" crap will eventually evolve into "they must control the device". Which means they just need to quit being cheap and buy devices they can manage for this purpose.

load more comments (10 replies)
load more comments (1 replies)
load more comments (2 replies)
[–] xavier666@lemm.ee 57 points 6 months ago (12 children)

Not a good solution but a decent one. Create a work profile on your phone, using Shelter (Fdroid, open source), and put all your work apps on that. Your data and processes are isolated and you can turn off all your work apps with a single tap. It's like a secondary virtual phone.

load more comments (12 replies)
[–] todd_bonzalez@lemm.ee 44 points 6 months ago (2 children)

You cannot be forced to give your employer access to your property, so just say that you cannot install it on your phone. Make sure you say that it isn't possible. You don't have to make it sound voluntary. You can just say "I cannot install this on my phone". Even if the reason is because you refuse to install it, it doesn't matter, that's your call to make with your own property.

Your employer will either need to find another solution that you can use, or they will need to issue you a company phone so that you can use the mobile software they require you to use.

[–] chiliedogg@lemmy.world 20 points 6 months ago (1 children)

I work for a municipal government where we all receive a phone stipend because of 2FA.

If we use our personal phones for city business, they become searchable in Open Records Requests.

[–] xavier666@lemm.ee 9 points 6 months ago (2 children)

Also, the Microsoft Intune app, which checks if your device is compliant, requires a high level permission which allows it to remote wipe your device. This is in case your device has sensitive data and gets stolen/falls into the wrong hands. This is a very risky direction where we are handing off admin access of our phone to our employers.

load more comments (2 replies)
[–] ButtDrugs@lemm.ee 19 points 6 months ago (1 children)

I work in tech, and have had multiple employees claim they only have "dumb" phones for what I'm pretty sure is this exact reason. And I never blame them, just put the heat on IT to find a solution.

[–] fatalicus@lemmy.world 14 points 6 months ago (1 children)

And the solution isn't even hard, since it should be "OK, take one of these FIDO2 tokens we have in stock for cases like this"

load more comments (1 replies)
[–] DmMacniel@feddit.de 39 points 6 months ago (3 children)

Demand hardware tokens for authentication.

load more comments (3 replies)
[–] neidu2@feddit.nl 31 points 6 months ago* (last edited 6 months ago) (8 children)

Can you claim that you don't have a smartphone? Then they'd either have to provide an alternative authentication method, or provide you with a phone.

I've been part of the Microsoft Bad crowd for well over 25 years now, but there are a few things that I will concede that MS has done well. Authenticator is one of them. I haven't looked much into the privacy aspect of it, though.

[–] LodeMike@lemmy.today 12 points 6 months ago

Don't do that. Just say they will provide you with an authenticator paid for by them.

[–] BobGnarley@lemm.ee 9 points 6 months ago (1 children)

If it has Microsoft's name on it, the privacy implications are horrendous. Guaranteed.

load more comments (1 replies)
[–] xmunk@sh.itjust.works 9 points 6 months ago (2 children)

Strong disagree with Microsoft Authenticator being well done - anything that is needlessly incompatible with competitors is bullshit. Either make your authenticator use the standard or fuck off.

[–] federalreverse@feddit.de 8 points 6 months ago (1 children)

Push Authentication in the MS Authenticator is Microsoft's proprietary thing. And I think that's probably what we're talking about here.

load more comments (1 replies)
load more comments (1 replies)
load more comments (5 replies)
[–] Nighed@sffa.community 29 points 6 months ago (14 children)

The ms authenticator works in 'reverse' in that you type the code on the screen into the phone. I assume this is preferable to corporate as you can't be social engineered into giving out a 2fa token. It also has a "no this wasn't me" button to allow you to (I assume) notify IT if you are getting requests that are not you.

I don't believe that the authenticator app gives them access to anything on your phone? (Happy to learn here) And I think android lets you make some kind of business partition if you feel the need to?

[–] Max_P@lemmy.max-p.me 15 points 6 months ago (3 children)

And the authenticator is configurable and they can enforce some device security like not rooted, bootloader locked, storage encryption is on through the Intune work profile. If you work on a bank, you don't want the 2FA to even live on a device where the user gives root access to random apps that could extract the keys (although at this point come on you can probably afford Yubikeys).

As a user, not a fan, but as an IT department it makes complete sense.

load more comments (3 replies)
load more comments (13 replies)
[–] LordCrom@lemmy.world 24 points 6 months ago (1 children)

Maintain a veil of separation between personal and business. Just say you can't install it.

They must then provide you with needed hardware.

Just say you don't have a smartphone....you have a flip phone...doesn't matter.

And don't fall for the argument that companies require ties also, they can require cell phones..... Not at all same thing.

load more comments (1 replies)
[–] ziby0405@lemmy.ml 22 points 6 months ago (22 children)

β‰₯ and force Microsoft Authenticator on the (private) phones of both employees and volunteers.

Refuse to use the service until they provide you with a work appointed phone. Volunteers admitedly have a more difficult time with that but as someone else said you can indeed do text/call options.

load more comments (22 replies)
[–] federalreverse@feddit.de 21 points 6 months ago (7 children)

Is your company mandating Push Authentication or are you entering 6-digit codes?

If it's the former, MS Authenticator is the only option.

If it's the latter, you can use any TOTP app you like, e.g. Aegis.

load more comments (7 replies)
[–] Dirk@lemmy.ml 21 points 6 months ago

If they want you to use a specific application they need to provide you with everything that is needed for you to run said application.

[–] NostraDavid@programming.dev 16 points 6 months ago (1 children)

Just ask whether they can provide a phone as well.

load more comments (1 replies)
[–] jet@hackertalks.com 12 points 6 months ago (3 children)

You can say no, and if they won't budge buy a cheap old phone off Swappa or craigslist or marketplace for $20 install Ms authenticstor on it and leave it at your desk.

load more comments (3 replies)
[–] MetalMartin@lemmy.myserv.one 10 points 6 months ago

I won't allow any MS stuff on any of my devices.

[–] masterspace@lemmy.ca 10 points 6 months ago (3 children)

You're wasting your life trying to fight battles you don't even understand.

load more comments (3 replies)
[–] Jyek@sh.itjust.works 10 points 6 months ago (1 children)

I work for an MSP servicing 5k users all of whom I force to use M$ Auth app. Because it is the best Authenticator on the market, their company is paying for it, and because I look at the sign in logs for 3-4 different organizations every day to see literal hundreds of foreign sign-in attempts that fail due to M$ MFA. Yeah fuck monopolistic megacorps but understand when they provide an actual good product that is safe to use and actively protects you as an individual better than anything else out there.

All that said, the most likely reason is that they don't want to make a document explaining how to set up MFA for each of the dozen+ apps out there and they certainly don't want to talk to users who don't know what they are doing with which ever app their kid set up for them

I'm sure you know what you're doing better than 80% of the other employees in your office in this regard but I can tell you from experience, when one person gets their way, everyone wants theirs too.

[–] lemmyvore@feddit.nl 8 points 6 months ago* (last edited 6 months ago) (3 children)

You left out two things:

  1. It doesn't change anything for the company if they allow the normal TOTP protocol in MS Authenticator. People who don't care will use it. People who care can use other authenticator apps.
  2. The reason companies insist on MS Authenticator is because it reports the employee's location.
load more comments (3 replies)
[–] Rikj000@discuss.tchncs.de 10 points 6 months ago (3 children)

You can use Aegis and/or Yubico Authenticator instead, that's what I do.

[–] Nighed@sffa.community 24 points 6 months ago

They said that the option to use other authenticators were disabled by their company

[–] Fleppensteijn@feddit.nl 11 points 6 months ago (3 children)

In my company at least, Aegis works for the first few logins, but it will keep nagging you have to switch to Microsoft's authenticator and you're locked out after a while.

load more comments (3 replies)
load more comments (1 replies)
[–] Tinkerer@lemmy.ca 9 points 6 months ago (1 children)

I don't really get the rub here, JM all for separating work devices and personal devices but the 2fa apps don't leak any info and the company can't "do" anything to your phone remotely. The apps work in air plane mode. I also want to bet more than half the users that complain about this use the companies free WiFi.

Get a flip phone and say you can't install it, however SMS 2fa is very insecure.

load more comments (1 replies)
[–] speaker_hat@lemmy.one 9 points 6 months ago (6 children)

In my case they didn't disable the option to use any authenticator for 2FA.

So I just use another one.

I don't see why forcing MS Authenticator will be better than any other authenticator.

The person who forces it is for sure not a security expert.

It will be easier to hackers to hack 2FA when they know what the authenticator app is, versus hundreds of different authenticator clients.

load more comments (6 replies)
[–] Martin@lemmy.ml 8 points 6 months ago (1 children)

Thanks people, some good replies here. I could demand a work phone, but that's impractical, dragging around two phones etc. I'd like all my 2FA in Aegis and not have to think and pick the right app first, let alone pick and unlock the right phone. The Shelter option is very nice, didn't know about that. If my company won't budge I'm doing that. When push comes to shove I could even use outlook that way on my phone.

load more comments (1 replies)
load more comments
view more: next β€Ί