Aegis Authenticator is the best 🏆
Unfortunately, Microsoft will often force their own 2FA app when logging in to 365.
Not true, I’ve always used Authy.
It became true in the past 6 months for me after always using Aegis.
Unless your organization forces specifically microsoft authenticator, then yeah. However, for several schools, that’s never been an issue, there should be an option to use a third party authenticator in small text.
No they don’t. That’s a configuration setting.
If your admins change the default away from Authenticator only they see bright red “MS 365 insecure” banners.
So… Its a dark pattern that technically allows other options.
TOTP codes can be phished. Technically FIDO2 keys like Yubikeys are one of the only phishing-resistant authenticators out there now, because they’re tied to the official domain of the real site and won’t authenticate to a fake.
Passkeys are similarly phishing resistant, and Microsoft Authenticator will basically have passkey support added early this year. For now it’s actually not phishing resistant! Though it’s somewhat better than TOTP.
The issue is that phishing resistance is important but it doesn’t stop session stealing (someone getting ahold of the cookie on your computer that confirms you’re signed in and have done MFA). But it does make it harder to steal sessions because phishing resistance means attackers need to get it from your computer instead of intercepting a fake login.
Just a little technical backstory around why admins are needing to lock down auth methods in more ways as attacks become more sneaky and the more sophisticated attacks become automated and easier and thus more frequent.
I would use a yubikey if Microsoft let me :)
Our admin tried allowing me to but there were errors.
Best one out there
Thank you, how about for iOS users?
Just switch to Android/AOSP lolI’ve heard good things about Raivo Authenticator for Apple devices, although I’ve never used it myself.Buy a different phone… Apple is terrible in so many ways
PSA, don’t use Microsoft authenticator. It’s easy to accidentally wipe your cloud backup and lose all your authenticator codes when switching devices
Cooperate forces me.
I think you can use standard TOTP regardless if you add TOTP as an option in the authentication methods on your account page. At least I did and the system has yet to complain.
Nope, IT can disable third-party TOTP services, and force all employees to use the official MS Authenticator app.
Sounds like a antitrust violation imo. (Not based in knowledge of laws). In the future I hope to work in a co-op, non-profit, foss or privacy oriented bussiness or whatever. Just something I believe is beneficial to our future and not detrimental. Don’t care if I lose potential wages or job security.
Just the standard run of the mill tech company for a private owner idealizing infinite growth for investors and making software that tries taking advantage of the user or even required to use such? Not for me. (I don’t need perfection just want improvent)
Is there actually any way to export the secrets from MS authenticator? I’ve been wanting to move them to something like bitwarden but it’s gonna take ages if I have to reset all ~50
Can you provide more info how it’s easy to accidentally wipe? I’ve only done a transfer once, but it was by installing authenticator on the new phone and logging in, then deleting the other one on the old phone after testing that the codes work.
You have to begin the recovery on the new device before logging in. If you log in normally and enable cloud backup on the new device, it will simply overwrite the existing backup with a new empty one
That design is awful
Yes, and while you can move it phone to phone on iOS, you cannot on Android. So stupid.
If you are forced to use it by your company just use it for that email, nothing else. Use something like authy instead.
If your company forced you to use mobile authentication, they should also be providing you with a device on the company plan at no cost to the employee.
In which case you should absolutely use MS Auth and give them all your delicious work data because nothing personal should be on the device anyway.
Authy requires a phone number last I checked & is a part of a for-profit entity. TOTP management is a simple task so there is no reason not to be using something open source.
Don’t worry, I’m going to keep using Bitwarden for my personal accounts.
Somehow I don’t think there’s much risk of anyone doing it willingly…
This is specifically an issue with corporate M365 accounts when a user tries to migrate to a new phone without access to the old phone where the authenticator was setup.
Personal MS accounts can backup their auth secret keys to cloud storage, and when signing in on a new device, it authenticates you with your cloud storage (Google/Apple) and properly restores your MS Authenticator app.
The issue is that while MS says you can backup your corporate M365 accounts in MS Authenticator, it doesnt actually store the secret key, so it’s useless.
Have your administrator enable TAP (Temporary Access Passwords) on the tenant. Then an M365 admin can create a TAP for your account that lets you login without a password/2FA. You can use the TAP to login and rejoin MS Authenticator app. The TAP expires in 1 hour by default.
I’m in this particular loop at work where I don’t want and don’t really need an account, so I’m going to pretend I didn’t see this and if you could ensure that IT doesn’t see this, that’d be great, thanks.
MS auth also supports SMS via phone number. That’s a whole new level of insecure, but lets you migrate to a new phone rather easily.
I’m 90% sure, all that 2FA crap is a sham anyway.
Brought to you by the same company that takes you to the logout page when you go to the login URL
∞-FA
I got FreeOTP from F-droid. Works like a charm.
Aegis here
Secur user checking in
I usually use Bitwarden myself, but the company uses Microsoft Authenticator.
I feel your pain
I use it for all of my work accounts. When it gives me troubles, I put my feet up.
I recommend Aegis, but I guess it’s a matter of taste
Isn’t that discontinued? I just installed aegis from fdroid
I had this exact problem when I had to install this. Ridiculous
You’d think such an important application would be properly tested, right?
That sort of risk is one major reason I stopped using MS Auth and went through the painstaking process of manually switching all of my accounts to a FOSS authenticator (Aegis Auth) instead.
Does Aegis sync between devices?
No, but you can back it up (encrypted) and restore it.
TOTP isn’t supposed to be saved in a “cloud”
It has an option for Android Backup Transport spoon…maybe?
Microsoft will just refuse to let me log with a third-party TOTP after setting it up. Security key is also “not supported” on Firefox even though it works for every other site.
The most info they will get is my Minecraft account and that’s already too much…
It’s a configurable setting on the admin side. I managed a lot of m365 tenants.
^ Your M365 admin needs to know where to manage the specific authentication methods and be sure to disable MS auth rollouts. By default right now, authentication rollouts are enabled on all tenants with P1 licensing or above, and it only supports the MS Authenticator app.
Once that rollout is disabled, the authentication methods your admin has made available to you will actually work properly.
I set it up with Bitwarden after a reset, but it showed a popup telling me to switch to MS Auth every time until one day there was no way to refuse the switch anymore.
Anyone else hate Microsoft forcing you to use Authenticator rather than alternatives?
Just another way I’m forced to install Microsoft crap on my devices :/
It’s been a long time since I set it up, but I have Microsoft accounts in my usual TOTP app (Aegis). Maybe I did it manually? But it’s definitely possible.
Not if your organization disables alternative TOTP apps 😔.
Is it a default setting?
If no, our admin didnt enable it and I could do it.
I have 2FA through Authy on my Microsoft account.
You can work around it to use your own 2FA app.
Did it with my O365 account.
My university recently forced us to use this shitpile to 2FA, it never fails to disappoint
Probably means there already is MFA setup on that account, and now you doing it a second time.
Or you can just press the “get codes” button in the top right.
The get codes button didn’t work the first time I tried it. But it did now after restarting the app a couple times. A bit finnicky but it works.
Yeah, when your setting it up there’s a button that says something like “use another authenticator app” or it might say something like “configure without notifications”.
Those generate normal TOTP QR codes which you can use in other apps
One day authentication of new users will be impossible and the only way to get on will be to purchase it from someone who already has it. Entire companies will run on a single account hey bought for millions of dollars. News stories will run of a vengeful or negligent employees bricking the one corporate account, until a cartel of business owners attempts to corner the market.
Microsoft works
Jumbo shrimp
This is a configuration item. Nothing to do with the app. It’s a choice your company has made.
My admins said they see a big red “insecure” banner if they allow other 2FA apps.
I mean, unless your service lets you pick individually that usually means turning on SMS. That’s probably why they have a general policy, it’s a pain in the ass to manage multiples.
Interesting, do you happen to know which configuration item causes this?
The one that forces you only to use ‘passwordless’ logins or forces that MFA challenge. Your admins had a choice on what they allow.
It seems something changed on MS end though because I have control of what MFA i use on our corporate acxount, which was setup with Yubikey, until about a month ago when this Use Your Outlook Mobile started on it’s own
🤷♂️ maybe it’s a bug or change
Whatever it is, somebody at Microsoft made a mistake; it should not prompt you for Outlook Mobile Auth code when that is the actual app you are trying to sign in to, and have no way of retrieving that code. it should have review MS app and if it is Outlook Mobile then move to the next MFA option in your security list.
I mean the error should be better, but there isn’t another method. They are turned off.
In this meme yeah, in my account I get the “try another way” link to let me go back to Yubikey auth option. But it shouldn’t default to Outlook auth if your are trying to sign in to Outlook, that is just lack of forethought
