So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?

  • Nighed@sffa.community
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    5 months ago

    Bad actor goes to super secret page while working on ‘fixing’ and issue for the user. They then get the 2 digit request code and ask the user to input it to ‘resolve’ the issue.

    Mostly the same as any other 2fa social engineering attack I guess, but the users phone does display what the code is for on the screen which could help… But if your falling for it probably not.

    • Carighan Maconar@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      5 months ago

      Yeah but that’s a wholly different attack, and oodles more complex to pull off. Doable, sure. But it’s absolutely not the same thing as phishing for a valid 2FA code that is generated user-side.

      And don’t get me wrong, both are overall very security. But there is a case to be made for push auth.

      • Nighed@sffa.community
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        5 months ago

        It’s not that different is it? You still need to get a user to share/enter a live code?

        • AtariDump@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          5 months ago

          One requires the user to go to a bad page and get a spoofed 2FA code so the bad guy can log in.

          Do you know how hard that is? Not worth it for 99% of hacks.

          The other requires that the user read off their six digit code on their device.

          Trivial easy since they already have the user’s password.

          • Nighed@sffa.community
            link
            fedilink
            English
            arrow-up
            1
            ·
            5 months ago

            It requires the bad guy to go to the page and ask the user to enter the code the bad guy gets