Will microsoft authenticator work in the foreseeable future?

Drippy_Fast_999

I have made a post before asking whether or not I should switch to GoS. So far I think it is worth switching, especially on my pixel 6a. But I require microsoft authenticator to work since my university uses it for 2FA, and I can not login to my university accounts without it.

Johnnyloans

Drippy_Fast_999

Microslop says maybe:

A Microsoft spokesperson told heise security in response to an inquiry, “Microsoft Authenticator is not officially supported on GrapheneOS, and Entra accounts may be impacted in the future on devices running GrapheneOS that are detected as rooted.”

-https://www.heise.de/en/news/GrapheneOS-Microsoft-Authenticator-does-not-support-secure-Android-OS-11200495.html

Stephan-P

Drippy_Fast_999 before switching to GOS you can install and alternative Authenticator app e.g. Aegis or Bitwarden Authenticator and test if that would work for your University.
Multiple Authenticator apps using the same QR code generally works, unless your University is adament on using the MS Authenticator specifically.

tiron

Drippy_Fast_999

Hello. I have created a second profile on my phone. In this profile I installed Google Play Services. I install here all apps that requires this component ie bank app or Microsoft authenticator. Whenever I need these apps I just have to switch in this profile which take 5 sec. Everything works fine.

Drippy_Fast_999

Stephan-P My university only uses microsoft authenticator.

jukebox626

The app currently works fine, not only with personal accounts, but also business / school. I did recently get a warning that the business account might stop working at some point in the near future because the app apparently considers my device to be "rooted".

Interestingly, the warning message disappeared after I activated the "Exploit protection compatibility mode" for the app. Obviously, there is no way to tell whether / for how long this workaround will continue to work.

schweizer

Yes the app works even without Google Play Services. But your company administrators can block your device if they want. But this is also possible with other OS.

Stephan-P

I did not wait too long after I read the announcement: copied all my TOTP codes to Bitwarden Authenticator and after some testing ditched MS Authenticator all together.
If you don't wanna play with me, then I don't wanna play with you.

Drippy_Fast_999

Stephan-P It is not possible for me to do that , because as i have stated previously they do not use any other 2FA service

xxx

Stephan-P ditched MS Authenticator all together.

Right. We shouldn't trust MS with real important stuff.

schweizer

Drippy_Fast_999 Please tell us what for your university recommends Microsoft authenticator. If they have all their services on Microsoft alternatives such as Google will not work.

The university recommends Microsoft authenticator for TOTP codes then you can scan the QR code during enrollment with a different app.

But you repeatedly ignore the fact that even Microsoft Authenticator works on GOS. So I do not understand what your problem is.

Stephan-P

Drippy_Fast_999 what I meant to say is "just give an alternative a try", because it wouldn't be the first time that an IT departement strongly prescribes MS Authenticator while any other will do just fine.

Oggyo

Stephan-P what I meant to say is "just give an alternative a try", because it wouldn't be the first time that an IT departement strongly prescribes MS Authenticator while any other will do just fine.

^^^ This! You should explore the alternatives.

@Drippy_Fast_999, When signing in, if you see the option "I can't use my Microsoft Authenticator app right now", then most probably your provider allow other sign-in methods.

Sign in to your account security info tab, direct link https://mysignins.microsoft.com/security-info
Press the plus sign to add a sign-in method and if available add Authenticator app (TOTP), where you can add a secret (QR code) to any proffered app suggested above.

vont

I agree with other auggestions of at least trying the other authenticator apps. I guessing they're all universal unless microsoft has their own coding recipe.

I succesfully switched everything from Google authenticator to Aegis.

But then later switched everything to Yubico authenticator with the hardware key.

DeletedGravy

To agree with the "give it a try," I have no experience with Microsoft's, but also switched Google Authenticator to Proton for things I used Google for. Those things do not "support" Proton, but it absolutely works. Duo, however, which my university uses, seems to have its own thing going on, and switching to Proton didn't work, but Duo can be set up to send a notification by SMS text in lieu of push notification through app (if that's tolerable to a user). Not sure how these compare with Microsoft, but if it's like Google and Proton, it should be easy to hand it to a different app. If it's like Duo, then your options might be limited.

schweizer

Oggyo Sign in to your account security info tab, direct link https://mysignins.microsoft.com/security-info
Press the plus sign to add a sign-in method and if available add Authenticator app (TOTP),

This is BS. Always try to avoid TOTP when better passwordless options are available such as FIDO2 or a dedicated app. TOTP is a form of password and as such useless against MiM attacks, one of the most common attack vectors. At the same time TOTP is cumbersome. There is a lot to blame on Microsoft but one thing they do pretty well is passwordless logins.

Overlay1404

I use Authenticator on my work profile and have not had any problems with it over the years. Nobody can say with any accuracy whether that will continue into the future.

littlerack

Overlay1404 do you use it for otps or also for passkeys?

Overlay1404

littlerack just otps

neel

I use Google Authenticator. Yes, I know it's Google and that Google is a surveillance company, but there are some services I don't self-host and TOTP is one of them (the other is my calendar).

I no longer work at Microsoft but InTune never worked with GrapheneOS when I tried. InTune worked with LineageOS on both Pixel and OnePlus when root hiding worked. I can admit MSFT products are buggy garbage.

Oggyo

schweizer This is BS

Hey, I'm not comparing the MFA methods, OK? I'm just trying to help as I understand the proactive approach for an alternative auth. method (others replied above) when/if MS Auth. refuse to work on Graphene OS.

The potential compatibility of MS Auth. on GrapheneOS as some apps detects it as rooted is the concern and I already discused it here:
https://discuss.grapheneos.org/d/1465-microsoft-authenticator-issue/17

[Edit]
My last company for example when MS Auth. was the proffered method they disallowed TOTP apps but at the same time allowed the less secure methods like SMS texts. This is what looks like BS to me.

Johnnyloans

It's more helpful to list the cons of options rather than stubbornly repeating that TOTP isn't perfect in terms of security. @Oggyo stated this already.

The security downsides of TOTP:

User mistypes grapheneSO.org instead of graphenOS.org and provides them with login credentials.
User receives a phishing email about a login or payment. They click the link in the email to a phishing site.

No security is perfect, know the risks and benefits then proceed. TOTP is a great, safe option.

schweizer I do find your advice harmful because it makes other peoples phones more vulnerable.

What is harmful is a unilateral decision by someone that doesn't have to live with the consequences and disregards people's circumstance.
Few things are always the best choice. FIDO2 costs money, is not available in every country, and problematic for those prone to losing items, or could cost more time. Orgs may not have SSO for every portal thus can't utilize MS auth passwordless sign-in.

MS being referred to anything other than microslop is dangerous.

schweizer Fact is as of today Microsoft authenticator does not tag GOS as rooted. If they do so in future this would be a bug because a GOS phone is not rooted.

Right now just became the past. It's best to prepare with a plan. In an ideal world, it'd be a bug. In ours it's business. This thread wasn't created asking: "does msauth work right now?"

schweizer This is BS. Always try to avoid TOTP when better passwordless options are available such as FIDO2 or a dedicated app.

Oggyo guided users, who are worried about vanishing msauth, to changing their mfa--valid advice. If the user can't see that passkey & FIDO are right next to TOTP, the best security aids won't save them from social engineering. People that are fans of FIDO2 will naturally be curious if FIDO is an option.
We can place semantics aside. Oggyo's advice is specific to his situation--choose SMS or TOTP. My advice will be based on the en-US version of apps. A more constructive reply adding to the conversation would be: "check to see if you can use the other options because phishing is a concern."

You are assuming the reader's org has 100% passwordless utilization, they could be using TOTP in msauth now.

schweizer

Oggyo I do find your advice harmful because it makes other peoples phones more vulnerable.

Fact is as of today Microsoft authenticator does not tag GOS as rooted. If they do so in future this would be a bug because a GOS phone is not rooted.

Just because SMS is unsafe this does not mean other methods are as well.

jukebox626

schweizer

The app as a whole doesn't complain about GOS, but Microsoft business / school accounts can (or Microsoft does it for them, not sure which). My corporate account in MS Authenticator started warning me that it might stop working a few days ago, although I could fix it for now by enabling exploit protection compatibility mode.

Of course, flagging GOS as "rooted" is nonsense, but try to explain that to those compamies who do it...

Oggyo

schweizer Fact is as of today Microsoft authenticator does not tag GOS as rooted. If they do so in future this would be a bug because a GOS phone is not rooted.

I agree. I'm not saying it doesn't work currently. I personally have to use MS Auth. for my services at work, that's why I installed it and keeping it ONLY for that, I have no choice.

But read the MS statement again. What if tomorrow, similar to some banking apps MS wrongly flagged GrapheneOS as rooted and because of that they disable access and functionality of its app on GrapheneOS?

And when 100% this is a bug or wrong root detection, what your choice you have on situation you have no control? Using a non GrapheneOS especially for that service? No convenient to me.

I personally don't care if I have to lower the sec. method just to make it work for that company, as I said I use MS Auth. only for that. And what I'm suggesting above is the OS to explore possibility for plan "B" and decide when/if to switch.

littlerack

schweizer Fact is as of today Microsoft authenticator does not tag GOS as rooted

It doesn't really matter, the fact is passkeys don't work specifically on GOS at least for me. All those OTPs etc are relatively easy to bypass via other apps like KeepassDX, but if an org requires MSA as passkey app, you're probably cooked.
So far I was not able to trick the test org and generate passkey in the KeePassDX via web version of MS account. The key is visible in kpdx, but it's not listed in the account that is similar to what I saw in MSA (so it looks like the server rejects to register the generated passkey, and the MSA returns the error, but kpdx doesn't and the key doesn't work anyway)