Microsoft Authenticator to nuke Entra creds on rooted and jailbroken phones
theregister.comWow, they're actively removing data off the app on your phone? Good reason to never use MS authenticator for anything important. This is also assuming that they're never wrong about this, and that it is foolproof with no false positives.
It seems that there's a big difference between "not supported" and actively removing account/auth data from someones phone. This has made me reconsider my 2fa providers. I might have to look at some sort of hosted option that doesn't have this issue. I wonder what the policies are for this kind of thing with authy and okta (and other major 2fa auth platforms).
I made the mistake of using them, and now I can't export and move my data to a different authenticator. How could I trust their online backup?
I have a fully stock, not jailbroken/unrooted, up-to-date, relatively new, device that Microsoft randomly determines is "rooted" and blocks access (until rebooted). This happens a few times a month, frequently enough that the false positive rate is very concerning with this change.
Just switch to Aegis Authenticator https://f-droid.org/packages/com.beemdevelopment.aegis
Sure I'll tell my employer to get right on that.
Sarcasm aside, it depends on whether your employer has configured Entra to allow classic TOTP (in which case Microsoft will try to push its own app as the default option, but you can in fact use anything that supports TOTP if you insist), respectively has set the option to only allow Microsoft's proprietary 2FA, which only works with the Microsoft app.
GrapheneOS user. Disappointing they consider our OS rooted when its actually more secure than stock Android.
So if I'm locked out of my 365 sysadmin user by this, what then?
Hopefully disabling the hardened memory allocator, as suggested by the article, holds them off for a while..
Curious how severe their root detection will be. I have a cheap China phone with LineageOS installed, but it's not running rooted. Will be nasty if they flag all 3rd party ROMs as "insecure".
My banks app works fine, but i have had one financial app refuse to install.
"'Microsoft Authenticator is not officially supported on GrapheneOS and Entra accounts may be impacted in the future on devices running GrapheneOS that are detected as rooted,' a Microsoft spokesperson said."
Doesn't that imply it'll run on GrapheneOS unless the phone is also rooted (and by default it's not)? The spokesperson might be using the term "rooted" incorrectly though?
I poked at the app, which surprisingly enough isn't even obfuscated, and as far as I can tell, it's mainly relying on Play Integrity's verdict. I didn't investigate it in detail though, so I don't know absolutely sure if that's really all or whether they're also running some additional custom checks, and I also don't know which integrity level they're requiring.
> So if I'm locked out of my 365 sysadmin user by this, what then?
I'm sure they have TOS that indemnify them, but I'd sure like to see a similarly-sized company sue them for resulting downtime.
Wonder what Motorola thinks of this.