So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?

  • @fouloleron
    link
    English
    56 months ago

    Authentication methods in Entra ID (which is presumably what we are talking about as the identity provider) include Microsoft Authenticator and software otp.

    Authenticator is push authentication, as described elsewhere here. If for some reason you’re not getting push notifications, you can use an OTP code instead, but this still requires that you have push authentication configured in Microsoft Authenticator.

    You can only use Software OTP in other applications if your administrator has explicitly allowed use of Software OTP as an authentication method, and also excluded you from being required to use Authenticatior - otherwise Authenticatior would always ‘win’ as choice of mechanisms because it is more secure.

    Several states in the USA require that employees who are made to use their personal phone for business purposes be compensated. The enforcement method and process for requesting same is naturally very obscure.