So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?

  • sylver_dragon
    link
    English
    147 months ago

    You’re god damn right they are, and they have every right to be. I’m in It too and I’m absolutely sick of the condescending attitude and downright laziness of people in the field who constantly act like what the users want doesn’t matter. If they don’t want it on their personal device, they don’t need a damn reason.

    Sure, and I suspect they company will have another option for folks who either can’t or won’t put the application on their personal device. It’s probably also going to be far less convenient for the user. Demanding that the company implement the user’s preferred option is where the problem arises.

    complaining because users don’t want Microsoft trash on their phone might make marginally more work for you is exactly as whiny.

    It’s a matter of scale. In a company of any size, you are going to find someone who objects to almost anything. This user doesn’t like Microsoft. Ok, let’s implement Google. Oh wait, the user over there doesn’t like Google. This will go on and on until the IT department is supporting lots of different applications and each one will have a non-zero cost in time and effort. And each of those “small things” has a way of adding up to a big headache for IT. We live in a world of finite resources, and IT departments are usually dealing with even more limited resources. At some point they have to be able to cut their losses and say, “here are the officially supported solutions, pick one”. While this creates issues for individuals throughout the organization, it’s usually small issues, spread out over lots of people versus lots of small issues concentrated in one group.

    If you’re in IT, you’ve likely seen (and probably supported) this sort of standardization in action. I can’t count the number of places where every system is some flavor of Dell or HP. And the larger organizations usually have a couple of standard configurations around expected use case. You’re an office worker, here’s a basic laptop with 16Gb of RAM, and mid level CPU and fuck all for a GPU. Developer? Right, here’s the top end CPU, as much RAM as we can stuff in the box and maybe a discreet GPU. AI/ML work? here’s the login for AWS. Edge cases will get dealt with in a one-off fashion, there’s always going to be the random Mac running around the network, but support will always be sketchy for those. It’s all down to standardizing on a few, well known solutions to make support and troubleshooting easier. Sure, there are small shops out there willing to live with beige box deployments. Again, that does not scale.

    I see this all the time and it’s downright hysterical. Who the hell can’t handle having to have two devices on them? “Oh yeah you’ll regret asking for this! Just wait till you have to pull out that other thing in your bag occasionally! You’ll be sorry you ever spoke up!”

    Hey, if that’s your thing, great. But, there is a reason BYOD took off. And a lot of that was on users pushing for it. Having been on the implementation side, it certainly wasn’t IT or security departments pushing for this. BYOD is still a goddamn nightmare from an insider threat perspective. And it causes no end of headaches for Help Desks trying to support FSM knows what ancient piece of crap someone dredges up from the depths of history. Yes, it’s a bit of cop out to give the user a crappy solution, because they push back against the easy one. But, it’s also a matter of trying to keep things working in a standardized fashion. A standard configuration phone, with the required pre-installed, gives the user the option they want and also keeps IT from having do deal with yet more non-standard systems. It’s a win for everyone, even if it’s not the win the user wanted.

    Also, develop some pattern recognition. If you can’t see how Microsoft makes this substantially worse once other methods have been choked out, you haven’t learned a thing about them in the last 30 years.

    I do understand how bad Microsoft can be. I was an early adopter of Windows Me. And also have memories of Microsoft whining about de-coupling IE from the OS. And I don’t want MS to win out as the authentication app for everyone. That said, I still believe that the Microsoft Authenticator app on a personal device is the wrong hill to die on. There is a lot of non-Microsoft software out there and there are plenty of options out there. But, Microsoft software using the Microsoft app isn’t surprising or insidious.