Forced to use 2FA at work

John564479

Hi,

My work bow requires us to use Microsoft authenticator which is filled with trackers and permissions. At this point in time I basically look at Microsoft as malware and wondering if anyone has any clever ways of getting around using the authenticator on my phone. Is it possible to use it via a non intrusive Foss app or on the PC? I know I can put it on another sandboxed profile on my graphene phone but not too keen.

doublefree

John564479 It may depend on the policies set by your administrators but in the 2fa setup dialog from MS is a small link (dark pattern) for TOTP instead of push messages. TOTP works with Aegis, KeePassDX ...

fid02

John564479 At this point in time I basically look at Microsoft as malware

Microsoft Authenticator might collect your IP address, your interactions within the app, and communicate with other Microsoft apps you have installed in that profile, but it's certainly not malware and isn't going to be infecting your device. If you don't want to use the app, there are possible solutions to this, but you might want to consider to simply install the app in a separate profile to avoid app communication with other Microsoft apps in other profiles, then run an always-on VPN in that profile.

Also, if your organization has not disabled the option, it is possible to use Microsoft Authenticator without a network connection (after the initial setup) by using the OTP code that the app generates: when you are asked to approve the push notification, simply select "I can't use Microsoft Authenticator right now" and you'll get the option to input the code instead.

I'll write more about alternative options later, out of time now.

missing-root

John564479

You can verify a Microsoft account with regular TOTP as fallback, unless they blockes that

If they did, why dont you have a work phone??

John564479

doublefree

I did not see this, could you elaborate?

PaulDavis

If it's your phone, tell them to shove it. If they supply the phone, the contract, etc, then treat it as a company tool for which they accept responsibility for its safety and upkeep. At which point you no longer have a say in the matter, but do not place personal data on their device

John564479

PaulDavis

Yeah good point. In this case I did get a phone so I guess I have to

secrec

fid02 but it's certainly not malware

You'll need to provide substantive proof to support this claim.

ticklemyIP

secrec fid02 but it's certainly not malware

You'll need to provide substantive proof to support this claim.

I'd say quite the opposite. Anyone making claims about the unsafety of a peace of software should have the burden of proof. It's a Microsoft app with I assume a huge userbase. Any malware would be found out pretty quickly.

fid02

secrec You'll need to provide substantive proof to support this claim.

Why? Are we assuming that a globally respected security company with thousands of enterprises paying for their security products would implant literal malware into people's devices? That would be such a huge loss to Microsoft's reputation that it's simply inconceivable. If you show proof that they are doing this, by all means, I will rest my case. But I find that's it bordering on the absurd that I have to defend the assertion that Microsoft is not infecting people with malware.

Exhort14

In my situation, work "required" Microsoft authenticator for MFA, but when the TOTP screen showed up, I just used a different app to scan the QR code.

If that doesn't work, you could try temporarily using MS, then copying the TOTP secret key to your preferred app, then uninstalling MS.

John564479

Exhort14

I'll give it a go, cheers

John564479

Exhort14
I managed to add aegis to it following ur method. Thank you!

John564479

I can drop inn this: https://reports.exodus-privacy.eu.org/en/reports/com.azure.authenticator/latest/

To me this app seems pretty loaded.

Exhort14

John564479 Let us know how it goes, good luck!

fid02

John564479 I managed to add aegis to it following ur method. Thank you!

I didn't know it was this easy. That's great!

Exhort14

John564479 Thanks for reporting back. Glad it worked for you!

Speeduser7533

If they gave you a work phone, then use it however they instruct you to, but never do anything personal on it. I never use my work phone for anything personal. Not ever. I use a different password manager, 2FA app, etc. on the work phone.

Complete isolation between work and personal usage.

John564479

fid02

I guess it comes down to the definition of malware here. Microsoft used to be a respectable company but now it seems to be going south. When I think malware I think a programm that has the ability to steal information/data and/or make.my system unsafe. When you look at how Microsoft is dealing with privacy and data harvesting since windows 10, combined with copilot and pluton then I literally define it as malware. Microsoft office has been banned in German schools on this ground

secrec

fid02 Are we assuming that a globally respected security company with thousands of enterprises paying for their security products would implant literal malware into people's devices?

In what world are they in any way "respected"?

Further, it isn't the assertion that they are "infecting" anyone with malware, the assertion is that their software IS malware.