Microsoft Authenticator is about to wipe work accounts from jailbroken/rooted phones automatically 👏.

agowa338@chaos.social

Soo instead of just rooting a phone one needs now to also deploy 38473894 shady scripts and workarounds to hide it from Microsoft Authenticator?

Congratulation on improving security (NOT).

lnr@sunny.garden

@merill I have to admit one of the reasons I use the web application for Outlook on my phone is because installing the Outlook app and adding my work account to it would in theory give work access to control (parts of) my phone - which I don't want. I didn't think the authenticator alone would give that level of access to the device though!

Is this likely to just drive more people to switch to using Google's authenticator (or another TOTP app) instead of the Microsoft one? I do anyway, because I was already using it for other sites, and it was easier to have them all in one place. You'd lose push authentications: but I feel safer without those anyway!

msugarhill@chaos.social

@merill thats why I neither use MS Authenticator (rather bitwarden) nor Outlook on Android (rather Ninemail)

domi@donotsta.re

@merill@infosec.exchange cringe

amy@sk.girlthi.ng

@domi@donotsta.re @merill@infosec.exchange good guy microsoft protecting us from big scary threats whilst locking token protection (the primary defence to phishing your creds out) behind expensive entra licenses. be so fuckin fr

bernardsheppard@mastodon.au

@merill magisk module to hide root incoming in 3, 2, 1...

domi@donotsta.re

@amy@sk.girlthi.ng @merill@infosec.exchange microslop will save us all!

(they can’t censor me here :^)

kuriko@wetdry.world

@domi @amy
@microsoft get them

amy@sk.girlthi.ng

@kuriko@wetdry.world @domi@donotsta.re @microsoft@lea.pet OH GOD OH FUCKK

resuna@ohai.social

@lnr @merill

When I worked at Halliburton I asked if there was any way to get email on my phone, and they said they didn't even support BYOD because having someone's phone locked out because it was being wiped right when they'd just been laid off was too evil for them.

xssfox@cloudisland.nz

@agowa338 @merill and someone attacking will still be able to grab the codes before being wiped because you just stop the app before dumping the data

zsapi@mastodon.social

@merill yeah sure, make sure we can't control our devices as we want to, but only as the duopoly/governments allow. Great step toward freedom and security /s

agowa338@chaos.social

@xssfox @merill

Ehm, the azure codes are a bit different than the TOTP ones. Their app also has a kinda proprietary auth code format too. I think it is mainly about them. As for all others you literally just have to store a picture of the QR-Code you used to set them up...

Edit: But yea, it probably will end in there being a shady cracked version of the Microsoft Authenticator App that continues to work on rooted phones...

pq1r@tech.lgbt

@merill this idiocy looks like something @GrapheneOS will want to respond to. Microsoft doesn't care if the OS has the latest patches, only that it was certified by the duopoly.

xssfox@cloudisland.nz

@agowa338 @merill sure but you can get the private data which is the core point of this protection

agowa338@chaos.social

@xssfox @merill

Haven't actually looked at how they're doing it. But yea, you can always crack these things.

All that they're doing by adding root detection is forcing people that can't do this themselves to download a modified version off of some shady backyard Russian forum or something...

czauner@social.vivaldi.net

@merill

Well another pretty bad idea. You seem to have quite a streak with those, lately.

Time to stock up with popcorn and wait for the fallout.

krazov@mstdn.social

@merill Whoa.

exilsarahl@chaos.social

@merill is this a threat or promise?

pa27@mastodon.social

@merill Who is using MS Auth anyway? Not me for sure! Another reason not to have or use an MS account...