My company have been using two-factor authentication since Covid when most of us have worked from home.

You log into the corporate VPN and you are sent a code to your mobile which you then enter and begin your working day.

I don't have an issue with this approach; the company have my mobile number and so getting a text every morning is no big deal.

IT have announced that as of 1st November, this process is being changed and we are all expected to download and install something called the Microsoft Authenticator App.

Now, given that Microsoft are heavily into sending anything and everything back to Redmond (apparently it's known as telemetrics, I call it spying) I'm reluctant to install anything from them particularly when the app apparently needs access to my
contact list, emails and photos.

Can I challenge this proposal? What if I didn't have a "smart" phone and just a basic Nokia device?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 19 Oct 2023 at 16:24:20 BST, "Tony The Welsh Twat" <tonythewelshtwat@gmail.com> wrote:

My company have been using two-factor authentication since Covid when most of us have worked from home.

You log into the corporate VPN and you are sent a code to your mobile which you then enter and begin your working day.

I don't have an issue with this approach; the company have my mobile number and so getting a text every morning is no big deal.

IT have announced that as of 1st November, this process is being changed and we are all expected to download and install something called the Microsoft Authenticator App.

Now, given that Microsoft are heavily into sending anything and everything back to Redmond (apparently it's known as telemetrics, I call it spying) I'm reluctant to install anything from them particularly when the app apparently needs access to my contact list, emails and photos.

Can I challenge this proposal? What if I didn't have a "smart" phone and just a basic Nokia device?

The only realistic solution is to buy a second phone for work. No-one ever go the sack, or indeed any other legal penalty, for using Microsoft. You could
ask the firm to pay for it, but they are not bound to do so. And that applies even if you don't own a suitable phone.

--
Roger Hayter

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 19/10/2023 16:24, Tony The Welsh Twat wrote:

My company have been using two-factor authentication since Covid when
most of us have worked from home.

You log into the corporate VPN and you are sent a code to your mobile
which you then enter and begin your working day.

I don't have an issue with this approach; the company have my mobile
number and so getting a text every morning is no big deal.

IT have announced that as of 1st November, this process is being
changed and we are all expected to download and install something
called the Microsoft Authenticator App.

Now, given that Microsoft are heavily into sending anything and
everything back to Redmond (apparently it's known as telemetrics, I
call it spying) I'm reluctant to install anything from them
particularly when the app apparently needs access to my contact list,
emails and photos.

Can I challenge this proposal? What if I didn't have a "smart" phone
and just a basic Nokia device?

I and some colleagues objected to the same. My objection was that my
phone was genuinely very slow and I was fearful of adding another app.

I didn't think anything I was doing would attract the attention of
Redmond or indeed anyone even if they did have access to my data. YMMV

This could be an opportunity for the company to provide everyone with a
company phone. It's a non-taxable perk too.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 19/10/2023 16:24, Tony The Welsh Twat wrote:

My company have been using two-factor authentication since Covid when
most of us have worked from home.

You log into the corporate VPN and you are sent a code to your mobile
which you then enter and begin your working day.

I don't have an issue with this approach; the company have my mobile
number and so getting a text every morning is no big deal.

IT have announced that as of 1st November, this process is being
changed and we are all expected to download and install something
called the Microsoft Authenticator App.

Now, given that Microsoft are heavily into sending anything and
everything back to Redmond (apparently it's known as telemetrics, I
call it spying) I'm reluctant to install anything from them
particularly when the app apparently needs access to my contact list,
emails and photos.

Can I challenge this proposal? What if I didn't have a "smart" phone
and just a basic Nokia device?

I'm pretty sure MS provides other means of authenticating credentials,
one is via a SMS text.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 19 Oct 2023 08:24:20 -0700, Tony The Welsh Twat wrote:

My company have been using two-factor authentication since Covid when
most of us have worked from home.

You log into the corporate VPN and you are sent a code to your mobile
which you then enter and begin your working day.

I don't have an issue with this approach; the company have my mobile
number and so getting a text every morning is no big deal.

IT have announced that as of 1st November, this process is being changed
and we are all expected to download and install something called the Microsoft Authenticator App.

Now, given that Microsoft are heavily into sending anything and
everything back to Redmond (apparently it's known as telemetrics, I call
it spying) I'm reluctant to install anything from them particularly when
the app apparently needs access to my contact list, emails and photos.

Can I challenge this proposal? What if I didn't have a "smart" phone
and just a basic Nokia device?

2FA is about 5 years out of date. It's MFA and conditional access now.

It's possible to generate offline codes for use in the absence of a
device. Whether your employers are able to do this, or allow it is
another matter.

It doesn't have to be a smartphone either. You can get dedicated devices
for generating codes. Yubico being one example.

As to the legalities - since your company can give zero assurances as to
the behaviour of Microsoft (and the need for a gMail account to access
the play store or an AppleID to access the iTunes store), I would
concentrate on that.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-10-19, Fredxx <fredxx@spam.invalid> wrote:

On 19/10/2023 16:24, Tony The Welsh Twat wrote:

My company have been using two-factor authentication since Covid when
most of us have worked from home.

You log into the corporate VPN and you are sent a code to your mobile
which you then enter and begin your working day.

I don't have an issue with this approach; the company have my mobile
number and so getting a text every morning is no big deal.

IT have announced that as of 1st November, this process is being
changed and we are all expected to download and install something
called the Microsoft Authenticator App.

Now, given that Microsoft are heavily into sending anything and
everything back to Redmond (apparently it's known as telemetrics, I
call it spying) I'm reluctant to install anything from them
particularly when the app apparently needs access to my contact list,
emails and photos.

Can I challenge this proposal? What if I didn't have a "smart" phone
and just a basic Nokia device?

I'm pretty sure MS provides other means of authenticating credentials,
one is via a SMS text.

That quite likely depends on the settings the IT Administrator
at Tony's employer has configured.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 19 Oct 2023 at 18:07:29 BST, "Fredxx" <fredxx@spam.invalid> wrote:

On 19/10/2023 16:24, Tony The Welsh Twat wrote:

My company have been using two-factor authentication since Covid when
most of us have worked from home.

You log into the corporate VPN and you are sent a code to your mobile
which you then enter and begin your working day.

I don't have an issue with this approach; the company have my mobile
number and so getting a text every morning is no big deal.

IT have announced that as of 1st November, this process is being
changed and we are all expected to download and install something
called the Microsoft Authenticator App.

Now, given that Microsoft are heavily into sending anything and
everything back to Redmond (apparently it's known as telemetrics, I
call it spying) I'm reluctant to install anything from them
particularly when the app apparently needs access to my contact list,
emails and photos.

Can I challenge this proposal? What if I didn't have a "smart" phone
and just a basic Nokia device?

I and some colleagues objected to the same. My objection was that my
phone was genuinely very slow and I was fearful of adding another app.

I didn't think anything I was doing would attract the attention of
Redmond or indeed anyone even if they did have access to my data. YMMV

I think it is the firm's data that is at risk. American security agencies and American firms routinely do as much industrial espionage as they can and pass it on to American business. I don't think this fact is contentious.

This could be an opportunity for the company to provide everyone with a company phone. It's a non-taxable perk too.

--
Roger Hayter

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 19/10/2023 20:03, Jon Ribbens wrote:

On 2023-10-19, Fredxx <fredxx@spam.invalid> wrote:

On 19/10/2023 16:24, Tony The Welsh Twat wrote:

My company have been using two-factor authentication since Covid when
most of us have worked from home.

You log into the corporate VPN and you are sent a code to your mobile
which you then enter and begin your working day.

I don't have an issue with this approach; the company have my mobile
number and so getting a text every morning is no big deal.

IT have announced that as of 1st November, this process is being
changed and we are all expected to download and install something
called the Microsoft Authenticator App.

Now, given that Microsoft are heavily into sending anything and
everything back to Redmond (apparently it's known as telemetrics, I
call it spying) I'm reluctant to install anything from them
particularly when the app apparently needs access to my contact list,
emails and photos.

Can I challenge this proposal? What if I didn't have a "smart" phone
and just a basic Nokia device?

I'm pretty sure MS provides other means of authenticating credentials,
one is via a SMS text.

That quite likely depends on the settings the IT Administrator
at Tony's employer has configured.

Ok, assuming Microsoft are the lead here and the IT department are
following it, Microsoft do allow for other forms of authentication.
Either way a personal phone is private property and an employer has no
rights over it; where Microsoft are sensible enough to take that into
and provide other methods.

Therefore if the company narrows down it's configuration to just the app
then it's playing silly buggers with its staff. Some employees may not
even have a mobile phone, and less likely to have a smart one.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 19/10/2023 22:50, Fredxx wrote:

On 19/10/2023 20:03, Jon Ribbens wrote:

That quite likely depends on the settings the IT Administrator
at Tony's employer has configured.

Ok, assuming Microsoft are the lead here and the IT department are
following it, Microsoft do allow for other forms of authentication.
Either way a personal phone is private property and an employer has no
rights over it; where Microsoft are sensible enough to take that into
and provide other methods.

Therefore if the company narrows down it's configuration to just the app
then it's playing silly buggers with its staff. Some employees may not
even have a mobile phone, and less likely to have a smart one.

Authenticator is a specific app for use in precise circumstances.

I use the Google version, rather than the Microsoft version, but the
principle is the same and I use it, for example, to employ MFA with my
HMRC account.

When I launch he Authenticator app, each account with which it is
configured to work, (I've already mentioned HMRC, but, perversely, I
also use *Google* Authenticator to login to my *Microsoft* account
amongst others), displays a six digit code and a circle which disappears
over the course of 30 seconds whereupon it generates a new six digit
code. (The circles allow one to determine if one has enough time to
enter the code before it expires.)

If you Google "Microsoft Authenticator" or indeed "Google Authenticator"
a world of knowledge will be opened to you.

Regards

S.P.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 19/10/2023 22:50, Fredxx wrote:

On 19/10/2023 20:03, Jon Ribbens wrote:

On 2023-10-19, Fredxx <fredxx@spam.invalid> wrote:

On 19/10/2023 16:24, Tony The Welsh Twat wrote:

My company have been using two-factor authentication since Covid when
most of us have worked from home.

You log into the corporate VPN and you are sent a code to your mobile
which you then enter and begin your working day.

I don't have an issue with this approach; the company have my mobile
number and so getting a text every morning is no big deal.

IT have announced that as of 1st November, this process is being
changed and we are all expected to download and install something
called the Microsoft Authenticator App.

Now, given that Microsoft are heavily into sending anything and
everything back to Redmond (apparently it's known as telemetrics, I
call it spying) I'm reluctant to install anything from them
particularly when the app apparently needs access to my contact list,
emails and photos.

Can I challenge this proposal?  What if I didn't have a "smart" phone >>>> and just a basic Nokia device?

I'm pretty sure MS provides other means of authenticating credentials,
one is via a SMS text.

That quite likely depends on the settings the IT Administrator
at Tony's employer has configured.

Ok, assuming Microsoft are the lead here and the IT department are
following it, Microsoft do allow for other forms of authentication.
Either way a personal phone is private property and an employer has no
rights over it; where Microsoft are sensible enough to take that into
and provide other methods.

Therefore if the company narrows down it's configuration to just the app
then it's playing silly buggers with its staff. Some employees may not
even have a mobile phone, and less likely to have a smart one

I think the probability of someone these days under retirement age not
having a smart phone is vanishingly small. Even my techno-Luddite cousin
has one (admittedly an iPhone 5 but still a smart phone)!

I held out for as long as I could (2015) on a dumb phone that would run
for a couple of weeks on one charge because I CBA to charge it every
night. I have only ever bought phones that would last at least a week.

If the company want to insist on specific software to be installed on a personal device to be used for business then they should be providing a
company mobile phone or security dongle to their employees.

Or live with the fact that some people who are not prepared to install
that software on *their* personal property will not be able to access
their VPN. I doubt it would be a sacking offence not to install it.

But it might not improve your prospects of promotion.

It has all become a bit messy with the vulnerabilities that BYOD has
introduced in the post-Covid era. My own take is that company mandated
software should not be required on your personal possessions. YMMV

Unless it is being done because you want it - some big organisations
have provide their employees an MS Office license at home for instance.

--
Martin Brown

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 19/10/2023 16:24, Tony The Welsh Twat wrote:

My company have been using two-factor authentication since Covid when most of us have worked from home.

You log into the corporate VPN and you are sent a code to your mobile which you then enter and begin your working day.

I don't have an issue with this approach; the company have my mobile number and so getting a text every morning is no big deal.

IT have announced that as of 1st November, this process is being changed and we are all expected to download and install something called the Microsoft Authenticator App.

Now, given that Microsoft are heavily into sending anything and everything back to Redmond (apparently it's known as telemetrics, I call it spying) I'm reluctant to install anything from them particularly when the app apparently needs access to my

contact list, emails and photos.

Can I challenge this proposal? What if I didn't have a "smart" phone and just a basic Nokia device?

I recommend informing your employer that you do not wish to install the
App on your phone (without giving a reason), but state that you are
happy to comply with their increased security protocols suggesting that
instead of asking that you install an App on your phone, that they
provide you with a OATH hardware token which will perform precisely the
same function.

They are obliged to provide you with the first token without charge but, providing it is permitted in your contract of employment, (and the
likelihood is that it will be), they can charge for a replacement if you
lose or damage it. They have a battery which will run out in a few
years. Your employer will need to replace if without charge when this
happens.

Regards

S.P.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 20 Oct 2023 09:23:46 +0100, Martin Brown wrote:

It has all become a bit messy with the vulnerabilities that BYOD has introduced in the post-Covid era. My own take is that company mandated software should not be required on your personal possessions. YMMV

In if it is, it has to take it as it finds it.

My last place did have BYOD via a (Citrix) app that refused to install on
my rooted device.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 20 Oct 2023 09:46:06 +0100, Simon Parker wrote:

On 19/10/2023 22:50, Fredxx wrote:

On 19/10/2023 20:03, Jon Ribbens wrote:

That quite likely depends on the settings the IT Administrator at
Tony's employer has configured.

Ok, assuming Microsoft are the lead here and the IT department are
following it, Microsoft do allow for other forms of authentication.
Either way a personal phone is private property and an employer has no
rights over it; where Microsoft are sensible enough to take that into
and provide other methods.

Therefore if the company narrows down it's configuration to just the
app then it's playing silly buggers with its staff. Some employees may
not even have a mobile phone, and less likely to have a smart one.

Authenticator is a specific app for use in precise circumstances.

I use the Google version, rather than the Microsoft version, but the principle is the same and I use it, for example, to employ MFA with my
HMRC account.

When I launch he Authenticator app, each account with which it is
configured to work, (I've already mentioned HMRC, but, perversely, I
also use *Google* Authenticator to login to my *Microsoft* account
amongst others), displays a six digit code and a circle which disappears
over the course of 30 seconds whereupon it generates a new six digit
code. (The circles allow one to determine if one has enough time to
enter the code before it expires.)

If you Google "Microsoft Authenticator" or indeed "Google Authenticator"
a world of knowledge will be opened to you.

Regards

S.P.

The algorithms behind are well known. So most authenticators will work
with each others.

Also some password managers are able to store the key the app would use
and generate the 2FA codes for you. BitWarden for example.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-10-20, Simon Parker <simonparkerulm@gmail.com> wrote:

On 19/10/2023 22:50, Fredxx wrote:

On 19/10/2023 20:03, Jon Ribbens wrote:

That quite likely depends on the settings the IT Administrator
at Tony's employer has configured.

Ok, assuming Microsoft are the lead here and the IT department are
following it, Microsoft do allow for other forms of authentication.
Either way a personal phone is private property and an employer has no
rights over it; where Microsoft are sensible enough to take that into
and provide other methods.

Therefore if the company narrows down it's configuration to just the app
then it's playing silly buggers with its staff. Some employees may not
even have a mobile phone, and less likely to have a smart one.

Authenticator is a specific app for use in precise circumstances.

I use the Google version, rather than the Microsoft version, but the principle is the same and I use it, for example, to employ MFA with my
HMRC account.

When I launch he Authenticator app, each account with which it is
configured to work, (I've already mentioned HMRC, but, perversely, I
also use *Google* Authenticator to login to my *Microsoft* account
amongst others), displays a six digit code and a circle which disappears
over the course of 30 seconds whereupon it generates a new six digit
code. (The circles allow one to determine if one has enough time to
enter the code before it expires.)

That isn't the only way the Microsoft (or Google) authenticator apps
work, though. As well as the Time-based One Time Password mode you're describing, they have proprietary "just press 'Approve' to confirm
the login" modes. Which modes are available is most likely up to the
IT administrator at the employer.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 20 Oct 2023 12:50:05 +0000, Jon Ribbens wrote:

On 2023-10-20, Simon Parker <simonparkerulm@gmail.com> wrote:

On 19/10/2023 22:50, Fredxx wrote:

On 19/10/2023 20:03, Jon Ribbens wrote:

That quite likely depends on the settings the IT Administrator at
Tony's employer has configured.

Ok, assuming Microsoft are the lead here and the IT department are
following it, Microsoft do allow for other forms of authentication.
Either way a personal phone is private property and an employer has no
rights over it; where Microsoft are sensible enough to take that into
and provide other methods.

Therefore if the company narrows down it's configuration to just the
app then it's playing silly buggers with its staff. Some employees may
not even have a mobile phone, and less likely to have a smart one.

Authenticator is a specific app for use in precise circumstances.

I use the Google version, rather than the Microsoft version, but the
principle is the same and I use it, for example, to employ MFA with my
HMRC account.

When I launch he Authenticator app, each account with which it is
configured to work, (I've already mentioned HMRC, but, perversely, I
also use *Google* Authenticator to login to my *Microsoft* account
amongst others), displays a six digit code and a circle which
disappears over the course of 30 seconds whereupon it generates a new
six digit code. (The circles allow one to determine if one has enough
time to enter the code before it expires.)

That isn't the only way the Microsoft (or Google) authenticator apps
work, though. As well as the Time-based One Time Password mode you're describing, they have proprietary "just press 'Approve' to confirm the
login" modes. Which modes are available is most likely up to the IT administrator at the employer.

There are probably degree courses in account security by now.

MS have long since moved to "conditional access" - of which MULTI (not
just 2) Factor Authentication is one strand.

When I was an Azure admin (and if your organisation uses MSO365 it will
have an Azure backend) then you will have a constellation of tools
available to protect your estate. If you start with IP-based filters, you
can almost eliminate the need for any challenges. Plus segregating the permissions needed for certain tasks so that day-to-day ones don't need a challenge. You can also overlay time based filters so any out of office
access is challenged.

Even as admin there are layers of access. As you approach the top then notifications start being sent when you access a very sensitive part of
the system.

However, as we know. No matter how secure by design the systems is, there
will be a story sometime soon about some outfit that struggled with the
concept and left everything open.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Jon Ribbens <jon+usenet@unequivocal.eu> wrote:

That isn't the only way the Microsoft (or Google) authenticator apps
work, though. As well as the Time-based One Time Password mode you're describing, they have proprietary "just press 'Approve' to confirm
the login" modes. Which modes are available is most likely up to the
IT administrator at the employer.

My employer uses Microsoft logins and the instructions were to install the Microsoft authenticator app. I installed a third party open source TOTP app called 'authenticator':

https://www.ghacks.net/2019/09/09/authenticator-open-source-2-step-verification-app-for-ios/
https://apps.apple.com/us/app/authenticator/id766157276

It works fine with Microsoft and other services for me. There is no harm in trying a third party app you are comfortable with instead of the official solution.

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 20 Oct 2023 09:51:05 +0100, Simon Parker wrote:

<snip>

I recommend informing your employer that you do not wish to install the
App on your phone (without giving a reason), but state that you are
happy to comply with their increased security protocols suggesting that instead of asking that you install an App on your phone, that they
provide you with a OATH hardware token which will perform precisely the
same function.

They are obliged to provide you with the first token without charge but, providing it is permitted in your contract of employment, (and the
likelihood is that it will be), they can charge for a replacement if you
lose or damage it. They have a battery which will run out in a few
years. Your employer will need to replace if without charge when this happens.

Regards

S.P.

You can get desktop apps that provide the same function. Authy for
example. I assume that working from home is via a PC, not solely on the
mobile phone.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 19 Oct 2023 08:24:20 -0700 (PDT), Tony The Welsh Twat <tonythewelshtwat@gmail.com> wrote:

IT have announced that as of 1st November, this process is
being changed and we are all expected to download and install
something called the Microsoft Authenticator App.

It doesn't have to be Microsoft Authenticator App. Despite what you have
been told, any authentication app will work equally well. They are all considerably more secure than SMS 2FA. Personally, I use Google
Authenticator, although if you want something unconnected to any of the big names then Authy has very good reviews.

Can I challenge this proposal?

It would be foolish to do so, given that it would be a deliberate choice to remain on a less secure system. An authentication app is also more reliable, and easier to use, than SMS 2FA.

What if I didn't have a "smart"
phone and just a basic Nokia device?

But you don't. You do have a smartphone. So raising hypothtical goat herder objections isn't going to help you.

Mark

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 20 Oct 2023 23:18:11 +0100, Mark Goodge wrote:

On Thu, 19 Oct 2023 08:24:20 -0700 (PDT), Tony The Welsh Twat <tonythewelshtwat@gmail.com> wrote:

IT have announced that as of 1st November, this process is being changed >>and we are all expected to download and install something called the >>Microsoft Authenticator App.

It doesn't have to be Microsoft Authenticator App. Despite what you have
been told, any authentication app will work equally well. They are all considerably more secure than SMS 2FA. Personally, I use Google Authenticator, although if you want something unconnected to any of the
big names then Authy has very good reviews.

The latest incarnation of Google Authenticator keeps a copy of your 2FA
seeds in your Google account. Which means switching to a new device is
trivial.

(The introduced this a few days after I had to wipe and restore my phone
and reset all the 2FAs I had lost from my Authenticator).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 19/10/2023 16:24, Tony The Welsh Twat wrote:

My company have been using two-factor authentication since Covid when most of us have worked from home.

You log into the corporate VPN and you are sent a code to your mobile which you then enter and begin your working day.

I don't have an issue with this approach; the company have my mobile number and so getting a text every morning is no big deal.

IT have announced that as of 1st November, this process is being changed and we are all expected to download and install something called the Microsoft Authenticator App.

Now, given that Microsoft are heavily into sending anything and everything back to Redmond (apparently it's known as telemetrics, I call it spying) I'm reluctant to install anything from them particularly when the app apparently needs access to my

contact list, emails and photos.

Can I challenge this proposal? What if I didn't have a "smart" phone and just a basic Nokia device?

Others have given you some useful information and advice.

All I can say is that I had an email account while volunteering for a
charity, and the computer support people insisted that we used the
Microsoft Authenticator, out of an abundance of caution, even though
there was nothing very confidential to discuss.

I found it to be a nuisance, because in a similar way to the "reCAPTCHA" method, it delays what you are doing and forces you to go through a
procedure that it is easy to get wrong. Especially if your Authenticator
app isn't conveniently to hand and you're trying to log into your
mailbox on a laptop. And occasionally the Authenticator has uncoupled
from my email address and asked me to scan a QR code (with what, given
that the QR code is displayed on my phone?) or reinstall the Authenticator.

But if a computer support technician advises that it has to be used,
nobody dares to challenge that opinion.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 21 Oct 2023 13:33:47 +0100, The Todal wrote:

On 19/10/2023 16:24, Tony The Welsh Twat wrote:

My company have been using two-factor authentication since Covid when
most of us have worked from home.

You log into the corporate VPN and you are sent a code to your mobile
which you then enter and begin your working day.

I don't have an issue with this approach; the company have my mobile
number and so getting a text every morning is no big deal.

IT have announced that as of 1st November, this process is being
changed and we are all expected to download and install something
called the Microsoft Authenticator App.

Now, given that Microsoft are heavily into sending anything and
everything back to Redmond (apparently it's known as telemetrics, I
call it spying) I'm reluctant to install anything from them
particularly when the app apparently needs access to my contact list,
emails and photos.

Can I challenge this proposal? What if I didn't have a "smart" phone
and just a basic Nokia device?

Others have given you some useful information and advice.

All I can say is that I had an email account while volunteering for a charity, and the computer support people insisted that we used the
Microsoft Authenticator, out of an abundance of caution, even though
there was nothing very confidential to discuss.

A lot of serious hacks begin with a lowly compromised email address.

I found it to be a nuisance, because in a similar way to the "reCAPTCHA" method, it delays what you are doing and forces you to go through a
procedure that it is easy to get wrong. Especially if your Authenticator
app isn't conveniently to hand and you're trying to log into your
mailbox on a laptop. And occasionally the Authenticator has uncoupled
from my email address and asked me to scan a QR code (with what, given
that the QR code is displayed on my phone?) or reinstall the
Authenticator.

Hence the drive towards a more nuanced approach of conditional access.

But if a computer support technician advises that it has to be used,
nobody dares to challenge that opinion.

The dread word is more "compliance".

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 21 Oct 2023 07:48:47 -0000 (UTC), Jethro_uk
<jethro_uk@hotmailbin.com> wrote:

On Fri, 20 Oct 2023 23:18:11 +0100, Mark Goodge wrote:

On Thu, 19 Oct 2023 08:24:20 -0700 (PDT), Tony The Welsh Twat
<tonythewelshtwat@gmail.com> wrote:

IT have announced that as of 1st November, this process is being changed >>>and we are all expected to download and install something called the >>>Microsoft Authenticator App.

It doesn't have to be Microsoft Authenticator App. Despite what you have
been told, any authentication app will work equally well. They are all
considerably more secure than SMS 2FA. Personally, I use Google
Authenticator, although if you want something unconnected to any of the
big names then Authy has very good reviews.

The latest incarnation of Google Authenticator keeps a copy of your 2FA
seeds in your Google account. Which means switching to a new device is >trivial.

Yes, although that does also, at least in theory, make it less secure as if Google's storage was ever successfully hacked, then your credentials would potentially be exposed. Some people are not happy with that, and therefore choose to use other apps.

Mark

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Tony The Welsh Twat wrote:

IT have announced that as of 1st November, this process is being
changed and we are all expected to download and install something called
the Microsoft Authenticator App.

Ignoring the legal aspect and speaking of the technical aspect ...

In my experience, websites which claim to require a specific TOTP app
(most frequently Google's or Microsoft's), will work with other generic
TOTP authenticators, e.g. EnPass is a password safe that installs onto a
PC and includes TOTP functionality, there are many others ...

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Saturday, 21 October 2023 at 15:46:06 UTC+1, Andy Burns wrote:

Tony The Welsh Twat wrote:

IT have announced that as of 1st November, this process is being
changed and we are all expected to download and install something called the Microsoft Authenticator App.

Ignoring the legal aspect and speaking of the technical aspect ...

In my experience, websites which claim to require a specific TOTP app
(most frequently Google's or Microsoft's), will work with other generic
TOTP authenticators, e.g. EnPass is a password safe that installs onto a
PC and includes TOTP functionality, there are many others ...

Ok just an update - I was present at the IT CAB meeting on Thursday where this proposal was going through final sign-off before release on 1st November and I made my objections known.

So now it's on pause while IT liaise with the Senior Exec Committee - apparently I am not the only one who has raised concerns (one other individual was offered a company mobile phone and he/she declined as they believed it was P11D-able (although I'm
not sure if that is the case)).

So at least my company aren't press ganging us into this.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)