So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?

  • deweydecibel@lemmy.worldEnglish
    33·
    1 month ago

    Ever notice that TOTP can be backed up and restored to a new device? If it can be transferred, then the device no longer counts for the “something you have” second factor in my threat model.

    The administrator can restrict this.

    • IHawkMike@lemmy.world
      6·
      1 month ago

      We can restrict the use of software TOTP, which is what companies are doing when they move users onto the MS Authenticator app.

      Admins can’t control the other TOTP apps like Google Authenticator or Authy unless they go full MDM. And I don’t think someone worried about installing the MS Authenticator app is going to be happy about enrolling their phone in Intune.

      Edit: And even then, there is no way to control or force users to use a managed device for software TOTP.