So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?

  • ramble81@lemm.ee
    link
    fedilink
    arrow-up
    0
    ·
    6 months ago

    You’re thinking of Intune and the Company Portal app. That’s where the device enforcement comes into play. Authenticator can be installed on any system regardless of its state and their enforcement policies.

    • deweydecibel@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      arrow-down
      1
      ·
      6 months ago

      For now.

      The point is, the patterns in software security are pretty clear. People will keep finding ways around the authenticator, eventually someone will get their account compromised, and at some point it will get more restrictive.

      It doesn’t matter how it works now, because once it’s normalized that this Microsoft app must be on your phone so you can work, and it must operate exactly as it wishes to, Microsoft will be able to start pushing more restrictions.

      At a certain point, the device simply has to be verified as secure in and of itself before it can keep another device secure. Meaning your phone will be brought under your workplace’s security policies.

      • ramble81@lemm.ee
        link
        fedilink
        arrow-up
        1
        ·
        6 months ago

        What? No. This is complete hyperbole and speculation, and off at that too. Their Authenticator is used for personal accounts as well as managing 3rd party TOTP tokens. It’s no different than Google Authenticator, DUO Authenticator or Okta Authenticator. I could see that on a far end if they come out with a business only version, but given that everything is backed on their same platform it doesn’t behoove them to do that.