So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?

  • @[email protected]
    link
    fedilink
    English
    06 months ago

    It requires the bad guy to go to the page and ask the user to enter the code the bad guy gets

    • @AtariDump
      link
      26 months ago

      How does the bad guy get to the page?

      Then how does he get the user to enter in that code into their mobile device?

      • @[email protected]
        link
        fedilink
        English
        16 months ago

        You can probably get the URL for a companies SharePoint pretty easily, but you need a login. You are able to get a PAs credentials through a phishing link etc but need the 2fa code.

        You do the IT phishing attack (enter this code for me to fix your laptop being slow…), get them to enter the code and now you have access to a SharePoint instance full of confidential docs etc.

        I’m not saying it’s a great attack vector, but it’s not that different to a standard phishing attack.

        You could attack anything that’s using the single sign on. Attack their build infrastructure and you now have a supply chain attack against all of their customers etc.

        It helps but its not enough to counter the limits of human gullibility.