Can any explain if there is a net privacy or security benefit to using a 2nd SIM in a separate phone for MS 2FA?

Currently, using an iPhone11Pro to run MS work apps, but also have a GOS P6a. I bought the Pixel initially as my dedicated work phone, but unfortunately it just doesn’t keep up with daily work load (overheats, battery drain, small screen, etc.)

[removed link to a YouTube video made by a YouTuber who gives bad advice]

Please know I am newer to these communities and I don't sub to the creator. I’m sure there will be mixed feedback on his content as I’ve found while researching this on random message boards.

At the end of the day. I have 2 phones. Both have physical SIM’s. Work necessitates I use SMS 2FA. I looked into VOIP's, but appears it's very hit or miss. Not sure if any of this matters...a bit confused.

Any feedback would be appreciated!

    gosguy What sparked my consideration was this video: [...]

    Is it possible to summarize the rationale presented in the video?

    It may be productive to start with a threat model (e.g., a list of specific information you wish to conceal from specific parties) and then choose techniques based on a specific model. Otherwise, there are lots of techniques and technologies that could be deployed, but most of them cost some mixture of time, convenience, and money.

    His argument is cross app tracking...Which is similar to what I am looking to avoid being a remote worker with MS apps in play now.

    One example he uses is going incognito on a PC doesn’t work if your iPhone or stock Android that you used for 2FA is sitting on your desk. Google/Apple can still see your location.

    I am currently running an always on VPN and when authenticating it shows Mullvad's location, but being ignorant I am left wondering what other data, if any, can be seen by IT, assuming they even take a peek of course.

    Please know nothing malicious here is in play...Just a remote worker trying to remain off the radar especially on my own time. The work we do daily is verified by other means (security cameras, job site photos, surveys, meetings, routes, etc.)

    In another video he brings up de-Googled phones like GOS are better for 2FA because they don’t give access to the identifiers. He argues to get any carrier physical SIM and use it. Of course the carrier will have your direct info, but “big tech”, his words not mine, will not.

    For me, this is specifically related to MS apps, although I assume I will update the other non privacy respecting apps I use.

    Again only because I have the 2 phones I am considering these options, but am unsure it’s worth it as it seems I would also need to sunset my existing cell# to a VOIP and activate a new # that I don’t give out. Just doesn’t seem practical since I can’t get family to use apps like Session.

    And after typing this all out I’m now considering if my best bet is to just dump the iPh11, literally, upgrade to a Pixel 8 Pro so it can handle my daily tasks and run 2 profiles like before...Other option is to find a new job!!

    Hopefully this makes sense...Been a long day. TY for the reply!!

      First of, Rob Braxman is a charlatan and you should probably unlearn whatever you have heard from him. Most of his advice ranges from security/privacy theatre to being so harmful that they can lead you to get a full compromise of your system. I have documented plenty of his misinformation and scams in the past.

      Secondly, regarding 2FA, there are plenty of methods, and SMS 2FA is almost the weakest one and you should avoid it if possible, for security reasons.

      Google and Microsoft do not mandate SMS 2FA. Google specifically has the Advanced Protection Program where all 2FA methods except FIDO2/Passkey are prohibited. This includes SMS 2FA. I highly recommend that you just buy a pair of FIDO2 keys and enroll into this program. Microsoft allows for FIDO2 with secondary email fallback. Facebook also allows for FIDO2 as a 2FA method. If you do not want to get tracked across services, don't allow them to see the serial number when pairing up for FIDO2. FIDO2 is the strongest possible 2FA method.

      Most services allow for TOTP 2FA, and you can either store the secret on your phone or on Yubikeys, with the Yubikeys being the more secure options. This is the most common 2FA method, not SMS 2FA.

      For the few services that explicitly require a phone number for verification - you can use a normal phone number for that. You have to ask yourself - how many identities are you maintaining? Do you even care enough to try to prevent identity linking on these phone numbers or not? And do you actually care of the magical "big tech" has your phone number or not, and why.

      Remember that SMS 2FA is a weak 2FA method and most services which are serious about security will not require that you use it.

      gosguy

      His argument is cross app tracking...Which is similar to what I am looking to avoid being a remote worker with MS apps in play now.

      IT departments do not care enough to track what you are doing in your private life. They only care about how you are accessing corporate resources and whether the endpoints are secure. Just use a separate work phone number for work if you want.

      If there is something to worry about, it's enrolling into the company's MDM on your personal devices. Otherwise, it shouldn't be a problem. Get a dedicated work machine if you have to.

      Also, as I explained above, Microsoft doesn't mandate SMS 2FA. If this is a problem, it is a problem with your IT department. FIDO2 with Email 2FA fallback is normally an option with them. Microsoft also doesn't care if you use a VOIP number or not, you can use Google Voice for free if you want.

      In another video he brings up de-Googled phones like GOS are better for 2FA because they don’t give access to the identifiers.

      This has to do with app sandboxing, not with whether something is degoogled (which is a rather nonsensical term to begin with). You can literally just load any Google apps you want onto GOS and it wouldn't be a problem. App sandboxing dictates that hardware ID is not disclosed to unprivileged applications.

      The only thing you have to care about is the eSIM activation app, which is only on if you enable it. That one has access to hardware identifiers.

      For me, this is specifically related to MS apps, although I assume I will update the other non privacy respecting apps I use.

      Microsoft apps are unprivileged on Android. You can install Microsoft apps directly on a Pixel with stock OS and it wouldn't see anything, let alone GrapheneOS.

        gosguy I'm confused as to the relevance of a SIM card when it relates to Microsoft Authenticator.

        To add to what has already been described in this thread:
        I'm speaking from a background of testing Microsoft's Entra ID authentication scheme for many hours, including assisting dozens of people in setting up Microsoft Authenticator.

        If your company uses Entra ID with Microsoft Authenticator, there is absolutely no need for you to provide Microsoft with a phone number. Entra ID has an option for the user to use MFA by phone call (which Microsoft warns against, because of its low security compared to other MFA), but it would be absurd if this was the only MFA that your company would allow. I'm not even sure Entra ID allows admins to block other MFA options and only use phone call verification.

        Entra ID completely supports security keys (with passkeys only, so it's not really MFA). The admins will have to allow this in the admin control panel, though, but I see no reason why they shouldn't. When setting up Microsoft MFA, if you see an option to set up a security key, you're good. If not, contact your work and request them to allow it. Your safest bet is getting a modern Yubikey, as those are the most commonly allowed keys (the admins can enable attestation, so you can also ask them which keys they allow in their systems).

        When setting up Microsoft Authenticator, it's even possible to use another MFA app, if your work has enabled that option. To test that, simply go to your work's Microsoft Authenticator registration page, download Microsoft Authenticator on your phone, set the phone in airplane mode, use the app to scan the QR that is displayed on your computer, then observe that the registration throws an error and gives you the option to use a TOTP (might have to do this twice). Scan the new QR code with your preferred MFA app, and you're good to go. You can now uninstall Microsoft Authenticator without ever having connected it to the internet.

        These are just tips, and as highlighted in this thread, please evaluate whether it's worth it for you to spend time to even attempt this.

          TommyTran732

          Appreciate your time and input here. I suppose your right I really didn't think much about my # being public since I am a hermit anyways and I change it every few years as I move around the states.

          Anyways, I will look into your suggestions...After the company I work for got hit with ransom ware they have been rolling things out and making daily actives a nightmare!

          Just today I joined a Teams meeting and it was able to bypass my VPN to my exact location! It's an iPhone so no split tunneling to my knowledge. And although it appears I was able to deny it for the call, like the mic and camera, it's evidence I need to probably get off iOS and back on GOS permanently!

            fid02
            Appreciate the info! I'm going to play around with it and see how long it takes before I get locked out of my account!

            As for the PH# and 2FA relation I now better understand it can be by passed with other apps.

            They guy in that YT video linked above had me considering separating lines using multiple phones to verify ID just to stay off of tech giants radar. I just stretched it to mean MS too since I work remotely and do my best to stay incognito.

            Sorry for the confusion hopefully that clarifies it somewhat...appreciate your time!

            gosguy

            Just today I joined a Teams meeting and it was able to bypass my VPN to my exact location! It's an iPhone so no split tunneling to my knowledge.

            Both iOS and Android have VPN leaks currently, though iOS is the more egregious one. How exactly do you know it "extracts your location" though? And how accurate?

            Stuff like Timezone/Keyboard can be used to guess your general location even if there is no IP leak.

            Also, make sure you deny location permission to their apps if you are worried about that.

            They guy in that YT video linked above had me considering separating lines using multiple phones to verify ID just to stay off of tech giants radar. I just stretched it to mean MS too since I work remotely and do my best to stay incognito.

            No one even wants you to do SMS 2FA. It's either legacy system or catering to people who don't know any better. It is a very weak 2FA method and it costs them money to send you the SMS. In the case of Google, you can clearly see that they want you to use FIDO2 and not SMS 2FA. They don't even want you to use SMS 2FA at all.

            Most of what he says are just bs. Braxman acts like they really wanna harvest your phone number for nefarious purposes, but in reality they just want you to have 2FA. And if you have stronger 2FA methods they will happily not ask you for your number.

              TommyTran732 Both iOS and Android have VPN leaks currently, though iOS is the more egregious one. How exactly do you know it "extracts your location" though? And how accurate?

              So not sure it matters, but I don't keep Teams installed on iPh11 24/7. In downloading it mins before the call, like you mentioned, I didn't go into settings as I usually would and deny location. I'm guessing that's why it popped up on the screen as I was joining the room. I was able to deny permission and location was pretty accurate. I noticed the main cross streets immediately and even the curvature of the road! I would say it was precise.

              The above was specific to Teams. When I verify my daily 2FA log in with MS Authenticator the pop up location matches Mullvad! I logged into Sharepoint to review my sign in history (I have limited access) and all good.

              Just to be clear I agree that IT has bigger fish to fry than to watch my log ins. For me, I'm just interested to know how the app bypassed the VPN. Perhaps it is leaking which is not good. I have a paid membership with Proton for email, but don't use their VPN - perhaps I should try it?

              And now I'm curious about the traffic app I use...Waze by passes the VPN too!

              Appears I have a lot to learn, but please know I appreciate your feedback!