Starting from October, my university is about to enforce mandatory 2FA for all IDs.
They offer 3 2FA methods - Microsoft Authenticator installed on your phone, Windows Hello and a FIDO2 key.
However, it’s not possible to use any of the other methods without also using Microsoft Authenticator as a 2FA method.
Alternative authenticator apps also don’t seem to be available, as you can’t generate a TOTP secret and instead have to sign in with your ID and password to the app.
So, how bad is Microsoft Authenticator from a privacy standpoint? Would it be possible to not use it and also not be locked out of my university ID?
MSFT Auth app is not great. But if that’s the only option, then you have very little choice.
For your school accounts, its the university’s job to ensure security for all accounts and I’m guessing they do have it implemented well enough.
But the seed token does get sent to MSFT servers so they have your tokens too.
Please check again if you can’t use another app. I’m still pretty sure you can. In my school, they always recommended to use MSFT Auth app but once I got the seed, I copied and added that to my Proton Pass and it worked. I would double check is “mandatory” thing you speak of for MSFT Authenticator.
How were you able to obtain the seed? In the setup instructions provided, it says that I should sign in using my account’s ID and password to the app and set it up that way; it doesn’t provide a way to obtain a seed or secret for use with authenticator apps.
What I did was log in to my school account via the browser on my laptop on office.com or something similar where you have access to your suite of tools, go to your security settings and enable 2FA through this way. The website will or should show you your seed token and it will too ask you to use their own app (don’t!), and once you see it - copy and paste where you want and you should be good to go.
Give it a try right away if you can, it takes a few minutes at most. Let me know how it goes.
If successful, have Ente Auth or Proton Authenticator ready with you to save it there.
It’s Microsoft. They track everything. Of course the university picks a big corporation. From their standpoint they don’t want there to be a bunch of issues and they want to have something that’s going to be secure. Most of the times of the times big tech has the man power to make sure things are secure and are able to jump on top of the issue quickly when it arises. I’m sure that Microsoft would provide the university with decent tech support. It’s still shitty being forced to have to put that shit on your device though. Maybe they are just saying that you have to use Microsoft authenticator because that’s what they want users to use. I don’t know if it’s possible to use it at first and then import the 2fa codes to another authenticator or not. I would definitely try to use something else at first but wouldn’t be surprised if it didn’t work. At the end of the day when your in a situation where your not able to do anything about it, there’s not much you can do. Even if you tried, it would fall upon deaf ears.
This is what I think is the best thing to do. When your told to open Microsoft authenticator try using another one. Worst case scenario it doesn’t work. I don’t see why it won’t work. Other authenticators are more than capable of handling the tokens when generated. The university is most likely just telling everyone that they “have to" use Microsoft authenticator because they don’t want to be dealing with issues from various authenticators and want to stick to just one.
If you’ve used authenticators before then you more than likely won’t have a problem. Just make sure that you are aware of the backup methods for the authenticator that you choose to use and make sure that you have access to backups just in case you ever need them.
Thank you so much, when I logged in to my account from the Microsoft site (not the student portal) and enabled 2FA there manually, it let me generate a seed for use in Proton Authenticator.
It may be that your school (or employer) may be using pushes for authentication generated from Microsoft services. Those will have to go to Microsoft’s app given the push proprietary nature.