this post was submitted on 30 May 2024
209 points (94.1% liked)

Asklemmy

43989 readers
909 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy ๐Ÿ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
 

So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose "any authenticator" and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it's demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 17 points 6 months ago (1 children)

This is incredibly well said and I agree 100%. I'll just add that software TOTP is weaker than the MS Authenticator with number matching because the TOTP seed can still be intercepted and/or stolen by an attacker.

Ever notice that TOTP can be backed up and restored to a new device? If it can be transferred, then the device no longer counts for the "something you have" second factor in my threat model.

While I prefer pure phishing-resistant MFA methods (FIDO2, WHFB, or CBA), the support isn't quite there yet for mobile devices (especially mobile browsers) so the MS Authenticator is the best alternative we have.

[โ€“] [email protected] -3 points 6 months ago (1 children)

Ever notice that TOTP can be backed up and restored to a new device? If it can be transferred, then the device no longer counts for the "something you have" second factor in my threat model.

The administrator can restrict this.

[โ€“] [email protected] 9 points 6 months ago* (last edited 6 months ago) (1 children)

We can restrict the use of software TOTP, which is what companies are doing when they move users onto the MS Authenticator app.

Admins can't control the other TOTP apps like Google Authenticator or Authy unless they go full MDM. And I don't think someone worried about installing the MS Authenticator app is going to be happy about enrolling their phone in Intune.

Edit: And even then, there is no way to control or force users to use a managed device for software TOTP.

[โ€“] [email protected] 0 points 6 months ago (1 children)

No, you can actually block them from adding additional devices. Once they add a TOTP device, they can not add or change to another without admin approval.

But more to the point, if the admin requires the management of the authentication software, I.e. Bitwarden or authy or whatever, then they clearly have concerns about the security of the MFA on the user's device. If text messages are no longer considered secure then we move to the TOTP apps, but now if we're just summarily deciding the apps are no longer considered secure, we're demanding a secure app controlled by the admin must be used for MFA.

Can we not see where this is going next? Are we really under the delusion that because we have this magical Microsoft Authentication app now, MFA need never become more secure? This is the end of the road, nothing else will be asked of the user ever again?

If the concern is for the security of MFA on the user's side of that equation, then trying to manage that security on a device that company does not own is a waste of time. Eventually this is not going to be enough.

So let's just skip this step entirely and move on to fully controlled company devices used for MFA.

[โ€“] [email protected] 1 points 6 months ago

Look man, it's okay to be wrong. It's a natural part of growth.

But when you double down on your ignorance instead of taking the opportunity to open your mind and listen to the experts in the room, you just end up embarrassing yourself.

Try to be better.