I used bluestack to emulate android and us MS Auth when I had no choice.
It's a waste of space, but it doesn't go on your phone at least
Get a used /cheap phone or tablet, only turn it on or enable wifi when you need the app. Don't use it for anything else. I think that covers all the bases.
If your company is enforcing geographic location as a security qualifier then MS Authenticator can poll your device. Also you can use push authentication with the MS suite.
What is your concern about installing MS Authenticator.
I mean I can understand the principle of being forced to install anything on your phone.
But just stepping into the practical for a second: What do you worry will happen by installing this app to your phone?
I'm not concerned per se and I definitely applaud the MFA requirement. I mean I hate MS and don't like apps I don't need, and I don't trust them, but as others pointed out this would mostly just be whiny. That's why I asked for reasons why restricting users to MS Authenticator would be preferable. If it's more secure or technically way easier and thus cheaper to maintain then fine, I'll find an acceptable way to comply. If not, then it's them who are whiny and I'd rather make the case to let us use whatever authenticator we already have installed.
But MS Authenticator isn’t a normal 6-digit Authenticator; it scans your Face ID (or finger print) and in many cases (like my work) it can be support password less accounts (relying only on something you have and something you are).
And in regard to your point that you don’t want to install apps you don’t need, it sounds like you do in fact need this app.
🤷♀️
reasons why restricting users to MS Authenticator would be preferable
As a security professional:
If your workplace is leaning heavily on the Microsoft ecosystem, especially their cloud offerings like Azure, then restricting employees to the Microsoft app is a no-brainer, and actually quite reasonable.
For example, if they happen to have a hybrid domain with an on-prem domain controller syncing with Azure (forgive me for using obsolete terms, I’m a greybeard), then they can control all access to all company assets, including 2FA. If an employee leaves the company, they can also disable the Microsoft app at a moment’s notice by disabling the employee’s Microsoft account. Because everything is hooked into Azure, it sends push notifications down to all company assets - like the Microsoft 2FA app - to unhook all of the company’s credentials and prevent employee access after the fact.
You cannot do this with other 2FA apps.
You can just use FreeOTP
My company has the same policy
Grab the shelter app from f Droid, add the Play store in shelter, move over to the work side Play store and install the authenticator.
Pause your work apps except for when you need to use the authenticator.
Prosper???
Lots of great conversation here, I also work somewhere where this is required. If I didn't need my phone for access to chat, I just wouldn't use it for work. Alternatively, my phone has a work profile so I use that for any work related or non-FOSS apps. My IT guy even approved of my methods and said do the minimum and never more with tech.
I managed to get around the MS auth app and am using aegis right now.
If you're in the US, that could very well get you fired in any "at will employment" state. It's shitty, fucked up, and should be illegal, but the legislators seem to represent wealthy corporations way more than they represent their human constituents (GOP especially).
Declare yourself a member of The Church of Emacs and claim your religious rights are being violated.
You have the right not to use your personal hardware for work, and the employer must provide the necessary equipment to accomplish your job.
Ask if you could get a hardware token (ie: Yubikey Security Key) instead of using Microsoft Authenticator to fulfill the security requirements. It's low cost and doesn't require a subscription unlike a cellphone plan.
And here I am wishing they would come out with an authenticator watch app, so I didn't have to do all the work of taking my phone out of my pocket and swiping a few times.
What's needed is an online 2fa service that just takes a username and copies the code to the clipboard.
/s before I get any replies.
Authentication methods in Entra ID (which is presumably what we are talking about as the identity provider) include Microsoft Authenticator and software otp.
Authenticator is push authentication, as described elsewhere here. If for some reason you're not getting push notifications, you can use an OTP code instead, but this still requires that you have push authentication configured in Microsoft Authenticator.
You can only use Software OTP in other applications if your administrator has explicitly allowed use of Software OTP as an authentication method, and also excluded you from being required to use Authenticatior - otherwise Authenticatior would always 'win' as choice of mechanisms because it is more secure.
Several states in the USA require that employees who are made to use their personal phone for business purposes be compensated. The enforcement method and process for requesting same is naturally very obscure.
Do like a friend of mine. He has a 15 dollar a month phone(mint mobile) that he uses for all his job related bullshit. Its all it does and he has no personal accounts on it at all. It kinda sucks that they insist on him using his own equipment for it but its the cheapest way to keep them out of his personal life.
Would you even need a monthly plan for this kind of thing? It just needs to be able to install the app and run it. If it needs internet you can connect to WiFi. You can get a sim free android for about £50 outright now.
You do if you want to provide that as your "work" number. Unless you're going to jump though VoIP hoops.
At what point can you tax deduct your phone as a business expense?
A loosely moderated place to ask open-ended questions
If your post meets the following criteria, it's welcome here!
Looking for support?
Looking for a community?
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~