HACKER Q&A
📣 ParetoOptimal

Forced to install Microsoft 365 2FA auth on my device. Alternatives?


I've been using Aegis authenticator at work to do 2fa for many years.

A switch got flipped, and now apparently nothing but Microsoft Authenticator will work for 2FA on Microsoft 365.

I asked my admin what that's about, and apparently for months there have been bright red banners about "Microsoft 365 install 2FA insecure" or something like that.

My workplace doesn't provide mobile devices for employees, so it seems that as soon as my last Microsoft session runs out...

I'm faced with 2 choices:

- Not be able to sign into Microsoft Teams which just so happens to be required to do my job

- install Microsoft Authenticator on my personal device

Has anyone else faced this? Are there any workarounds?

Thanks!

  👤 NetworkPerson Accepted Answer ✓
As a 365 admin, I’m not aware of a single policy to track or manage your device through the authenticator app. Past that though, you should have the option while setting up to click that you want to use a different app than authenticator. The vast majority of businesses won’t lock you down to the single app, so check to see if that option is there. I couldn’t care less which 2fa app any of my clients are using so long as it’s a reputable one. And your company can’t get mad at you for using a different app if they left the option available.
👤 MissTake
The MS authentication process presents a 2 digit number on the client device, and triggers the app to request the user enter the same 2 numbers, showing an approximate geographical location of the client request.

It seems totally proprietary but also pretty benign.

If you’ve already got Outlook or Teams on your device, then I don’t think you’re any worse off.

I despise it myself because each time I have to Auth anything I have to approve it. Having a separate device could start to get annoying given this.

Your call though.

👤 I_Am_Nous
I have the Microsoft Authenticator installed on my iPhone but it doesn't require device management for remote wiping like traditional Exchange/O365 email on the phone does. It's possible that can be set at the organization level but I'm not sure -- so while it would be annoying to have to install that single work app on your phone I don't believe it would cause any kind of remote administration capability.
👤 throwaway318
A separate device. Work should be separated anyway, at a minimum you have access to confidential information from employee data to customer data to code to reports.

That your company doesn't provide this is... not on. And a problem for their compliance and legal departments.

In the mean time, get a burner Android device for $100-200 for anything work.

👤 TomStratton
1Password (and maybe others) are able to act as 2FA providers for Microsoft. You have an option when you set up the second factor to use a different app. I'm pretty sure that Authy works too
👤 micahdeath
After I set mine up on an old phone, I was able to enable a second less restrictive authenticator that I run as a browser extension.

In the ui, I get an option to use a different one that is less restrictive.

👤 verdverm
Are you ok with losing your job? Using work arounds could cause this

Two ideas that come to mind

1. buy a cheap prepaid phone to use primarily for this purpose

2. use a work profile on android

👤 justinludwig
Buy a cheap Android phone on eBay, use it on Wi-Fi for work accounts instead of your personal phone.