Work is requiring me to install Miscrosoft Authenticator

So i have a fee options and dont know which would be best.

I could install this on an old phone. However, the old phone is a stock OS all my old apps installed. I have NetGuard and Invizible Pro active blocking internet on apps that don’t need it, I’d keep the phone off and in a faraday case when not needed

Alternatively, I could install this on my current phone. A Pixel 6 with GrapheneOS. I’d rather not have it on my current phone because it just feels weird. Though what i would plan on doing is creating a separate profile with just this app installed and all permissions disabled until I need to use said app.

Which option would you consider to be the most private and what would you do in my situation?

Doesn’t matter. What info will it get from your smartphone, since it won’t need any permissions?

1 Like

Hmm, can’t you just scan the QR code with another authenticator?

I’d probably go for option one. However, that seems to be the most inconvenient one… If you forget that phone, and you need to verify, you are going to curse.

2 Likes

In my personal opinion, I’m not sure how private Microsoft Authenticator is, but if you want something practical and straightforward, I wouldn’t delve too deep into the options you mentioned. You can use Shelter or an app to manage a work profile and install it, or alternatively, use your old phone as you’ve mentioned.

The optimal choice will depend on how much you’ll be using Microsoft Auth for work. If you use it extensively, I would clearly recommend setting it up with a work profile.

Microsoft Authenticator and some others aren’t just plain TOTP apps, they take into account other aspects of the device and the administrator can choose to mandate location be one of them.

https://support.microsoft.com/en-us/account-billing/common-questions-about-the-microsoft-authenticator-app-12d283d1-bcef-4875-9ae5-ac360e2945dd

While you’re still accessing the protected resource, for the next 24 hours, your location will be shared silently once per hour from the device, so you will not need to get out your phone and manually approve each hour.

You might say: “Oh well my employer already has my home address”, but even then why does Microsoft need it?

4 Likes

Ah yes true, conditional access on Azure can create policies for location based authentication and deny legacy options.

  1. If you need an app for work, they should supply you a phone for work. Maybe try asking for one politely but assertively.
  2. What Ouros said, if it’s just about a TOTP code maybe a different app will do - they all calculate the codes the same way.
  3. If they do more invasive checks like SkewedZeppelin explained, you should really be given a “just for work phone”. Blocking InterNet access or a different profile wouldn’t work for this.
3 Likes

Not really sure if I am a fan of this solution. As when supplied with a work phone they can also probably track you down with the location of that iphone via MDM which also works when the devices is turned off.

So this definitely isn’t a great situation either. Personally I refused a work phone for this reason and I do use Microsoft Authenticator as well but I did disable the internet access after initialization of the app and use the TOTP mode.

And no other TOTP apps do not work. Microsoft uses some strange proprietary exchange of secrets and data communication to activate the app. There is no secret string to import in another app.

1 Like

Can you just claim that your phone broke and that you use a feature phone for now? Will they volunteer for a workphone.

At least with a work phone you can turn it off and put it in a Faraday bag after work.

1 Like

Faraday bag might work. I would rather in that case put it on a device I control. Don’t aee the advantage at all. And you will still need to turn it on when using it. Idk if you work remotely. My emplouer doesn’t need to know where I am working. :man_shrugging:

If they’re requiring you to install software, it should be on their own hardware. They should provide you a phone.

Failing that, can you suggest a hardware TOTP token?

2 Likes

I got asked this and just added the TOTP to another app no problem, MS made it annoying to get the seed, but after that I am not having any of the issues others are describing.

I would at least try it in case they are not enforcing any security rules and just asking for the app because “MS says so”.

1 Like

When my work switched to Microsoft Authenticator for 2FA, I found an option to use a different authenticator and was able to set it up using Aegis. If that’s a possibility for you that seems like the best option to me. Of note, I did have to explicitly choose that option, trying to scan the QR code for the MS app did not work.

1 Like

Unless you agreed for BYOD, your company has to provide you a phone. I assume they are forcing to use MS Authenticator because you can go Passwordless with MS business accounts, and also it is mandatory for Intune and Office app management.