213
submitted 5 months ago by Martin@lemmy.ml to c/asklemmy@lemmy.ml

So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose "any authenticator" and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it's demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?

you are viewing a single comment's thread
view the rest of the comments
[-] Carighan@lemmy.world 3 points 5 months ago

Yeah and that wouldn't work, as they would not be able to generate a valid 2FA code.

[-] Nighed@sffa.community 1 points 5 months ago

Bad actor goes to super secret page while working on 'fixing' and issue for the user. They then get the 2 digit request code and ask the user to input it to 'resolve' the issue.

Mostly the same as any other 2fa social engineering attack I guess, but the users phone does display what the code is for on the screen which could help.... But if your falling for it probably not.

[-] Carighan@lemmy.world 2 points 5 months ago

Yeah but that's a wholly different attack, and oodles more complex to pull off. Doable, sure. But it's absolutely not the same thing as phishing for a valid 2FA code that is generated user-side.

And don't get me wrong, both are overall very security. But there is a case to be made for push auth.

[-] Nighed@sffa.community 1 points 5 months ago

It's not that different is it? You still need to get a user to share/enter a live code?

[-] AtariDump@lemmy.world 1 points 5 months ago

One requires the user to go to a bad page and get a spoofed 2FA code so the bad guy can log in.

Do you know how hard that is? Not worth it for 99% of hacks.

The other requires that the user read off their six digit code on their device.

Trivial easy since they already have the user’s password.

[-] Nighed@sffa.community 1 points 5 months ago

It requires the bad guy to go to the page and ask the user to enter the code the bad guy gets

[-] AtariDump@lemmy.world 2 points 5 months ago

How does the bad guy get to the page?

Then how does he get the user to enter in that code into their mobile device?

[-] Nighed@sffa.community 1 points 5 months ago

You can probably get the URL for a companies SharePoint pretty easily, but you need a login. You are able to get a PAs credentials through a phishing link etc but need the 2fa code.

You do the IT phishing attack (enter this code for me to fix your laptop being slow...), get them to enter the code and now you have access to a SharePoint instance full of confidential docs etc.

I'm not saying it's a great attack vector, but it's not that different to a standard phishing attack.

You could attack anything that's using the single sign on. Attack their build infrastructure and you now have a supply chain attack against all of their customers etc.

It helps but its not enough to counter the limits of human gullibility.

this post was submitted on 30 May 2024
213 points (100.0% liked)

Asklemmy

43939 readers
332 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS