Login
You're viewing the mstdn.social public feed.

Replies

  • 💬 7🔄 2⭐ 17
  • 💬 3🔄 11⭐ 63
  • 💬 0🔄 0⭐ 8
  • Mar 10, 2026, 12:31 PM

    @fluffykittycat @merill

    You can opt out any time by showing documentation that you are in the files (tangentially mentioned because they cited your work in an email does not count sorry)

    💬 0🔄 1⭐ 2
  • Mar 10, 2026, 1:00 PM

    @fluffykittycat @merill It's kind of a grey area. They are right that open bootloaders are a security issue but then also you can relock it on some devices.
    In any case I don't think I would use the Microsoft Authentication app anyway unless I have to.

    💬 1🔄 0⭐ 2
  • Mar 10, 2026, 3:06 PM

    @thaodan @fluffykittycat @merill Why?

    The keys and such associated with the authenticator app should be in a TPM. Something the bootloader can't touch. It can't get the private key to then send it to whoever.

    The bootloader could attack in other ways and get the info you're accessing once logged in, but I don't think it can mess about or bypass the actual security mechanism.

    I think they're trying to sell bullshit here so the ignorant support them as they lock us all down.

    💬 3🔄 0⭐ 2
  • 💬 0🔄 0⭐ 0
  • Mar 10, 2026, 4:58 PM

    @crazyeddie @fluffykittycat @merill The bootloader itself isn't the concern but the kernel and what is started afterwards.
    It is a factor even if they only use it as an excuse. Most phones don't have a TPM but an ARM trustzone which can run a software TPM. The problem is that modifying or writing isn't possible low level only over the OS or vendor API's provided.

    💬 0🔄 0⭐ 1
  • 💬 1🔄 0⭐ 2
  • Mar 10, 2026, 7:29 PM

    @fluffykittycat @merill @crazyeddie Context? Nobody in the thread said that devices where users can't unlock bootloaders are a good thing.
    Users should just be able to relock it. Locking bootloaders doesn't block flashing it just ensures that only code signing with the owner of the keys in the bootloader can be used, the owner of these keys can be the user.

    💬 1🔄 0⭐ 0
  • 💬 1🔄 0⭐ 1
  • 💬 1🔄 0⭐ 0
  • Mar 10, 2026, 9:45 PM

    @fluffykittycat @crazyeddie @merill You have to separate the technical from the ideological part. As long as the user has the control for en- and disable the bootloader signature verification they are perfectly fine. There are parts of the device users shouldn't reflash thou such as the radio configuration.

    💬 1🔄 0⭐ 0
  • 💬 0🔄 0⭐ 0
  • Mar 10, 2026, 8:45 AM

    @merill

    Soo instead of just rooting a phone one needs now to also deploy 38473894 shady scripts and workarounds to hide it from Microsoft Authenticator?

    Congratulation on improving security (NOT).

    💬 2🔄 2⭐ 27
  • 💬 1🔄 1⭐ 7
  • Mar 10, 2026, 10:26 AM

    @xssfox @merill

    Ehm, the azure codes are a bit different than the TOTP ones. Their app also has a kinda proprietary auth code format too. I think it is mainly about them. As for all others you literally just have to store a picture of the QR-Code you used to set them up...

    Edit: But yea, it probably will end in there being a shady cracked version of the Microsoft Authenticator App that continues to work on rooted phones...

    💬 1🔄 0⭐ 1
  • 💬 1🔄 0⭐ 3
  • Mar 10, 2026, 10:34 AM

    @xssfox @merill

    Haven't actually looked at how they're doing it. But yea, you can always crack these things.

    All that they're doing by adding root detection is forcing people that can't do this themselves to download a modified version off of some shady backyard Russian forum or something...

    💬 0🔄 1⭐ 3
  • 💬 1🔄 0⭐ 1
  • Mar 10, 2026, 7:12 PM

    @fluffykittycat @merill

    And make your employer pay for it. I got my work phone when I refused to put a similarly shitty 2FA app onto my personal one.

    I just said I've a PinePhone with Postmarket OS and I'm not going to buy a new one just for that. + I asked if they'd cover damages for any data deleted because of someone hitting the "wipe phone" button in the MDM that would have come with it accidentally (or on purpose).

    The phone was cheaper for them than continuing the discussion btw :p

    💬 0🔄 0⭐ 2
  • Mar 10, 2026, 9:00 AM

    @merill I have to admit one of the reasons I use the web application for Outlook on my phone is because installing the Outlook app and adding my work account to it would in theory give work access to control (parts of) my phone - which I don't want. I didn't think the authenticator alone would give that level of access to the device though!

    Is this likely to just drive more people to switch to using Google's authenticator (or another TOTP app) instead of the Microsoft one? I do anyway, because I was already using it for other sites, and it was easier to have them all in one place. You'd lose push authentications: but I feel safer without those anyway!

    💬 2🔄 1⭐ 7
  • Mar 10, 2026, 10:09 AM

    @lnr @merill

    When I worked at Halliburton I asked if there was any way to get email on my phone, and they said they didn't even support BYOD because having someone's phone locked out because it was being wiped right when they'd just been laid off was too evil for them.

    💬 0🔄 1⭐ 6
  • Mar 11, 2026, 8:02 AM

    @lnr @merill *If* you consider using another TOTP app, I recommend 2FAS Authenticator. Other than the MS and Google authenticators, who are incredibly greedy data harvesters, 2FAS phones home nothing but anonymised diagnostics data. (It does, optionally, sync/backup on Google Drive/iCloud.) Has been working well for me for years. Open source, on Android and iOS.

    2fas.com/auth/

    Partial iPhone screenshot. Text:

App Privacy >

The developer, Google, indicated that the app's privacy practices may include handling of data as described below. For more information, see the developer's privacy policy.

Data Linked to You

The following data may be collected and linked to your identity:
 • Location
 • Contact Info
 • Contacts
 • User Content
 • Identifiers
 • Usage Data
 • Diagnostics
 • Other Data
    Partial iPhone screenshot. Text:

App Privacy >

The developer, Microsoft Corporation, indicated that the app's privacy practices may include handling of data as described below. For more information, see the developer's privacy policy.

Data Linked to You

The following data may be collected and linked to your identity:
• Location
 • Contact Info
 • User Content
 • Identifiers
 • Usage Data
 • Diagnostics
    Partial iPhone screenshot. Text:

App Privacy >

The developer, Two Factor Authentication Service Inc., indicated that the app's privacy practices may include handling of data as described below. For more information, see the developer's privacy policy.

Data Not Linked to You

The following data may be collected but it is not linked to your identity:
 • Diagnostics
    💬 1🔄 0⭐ 0
  • Mar 11, 2026, 9:15 AM

    @jyrgenn Mostly I just save them in my password manager these days, which kind of makes them a bit less "second" factor, but improves convenience.

    💬 1🔄 0⭐ 0
  • Mar 11, 2026, 9:34 AM

    @lnr I have done this in one case so far, and by $deity is it convenient! I am a bit conflicted about it, though, because of what you say. But then the usual scenario from which a second factor is supposed to protect you (or your organisation) is not a compromised password manager, but phished or sniffed credentials. (1/2)

    💬 1🔄 0⭐ 1
  • Mar 11, 2026, 9:34 AM

    We have heard of weaknesses in (some) password managers, but I think I haven't heard of a really compromised and exploited one. Has anyone? I may have missed it.

    So, in the end, I may indeed at some point move all those 2FA secrets to my password manager. Maybe when I am retired, so at least there is no (theoretical) harm for $ORK. (2/2)
    @lnr

    💬 0🔄 0⭐ 0
  • 💬 0🔄 0⭐ 6
  • 💬 1🔄 1⭐ 0
  • 💬 0🔄 1⭐ 0
  • 💬 1🔄 1⭐ 1
  • 💬 0🔄 0⭐ 0
  • 💬 1🔄 0⭐ 5
  • 💬 0🔄 0⭐ 1
  • Mar 10, 2026, 10:25 AM

    @merill yeah sure, make sure we can't control our devices as we want to, but only as the duopoly/governments allow. Great step toward freedom and security /s

    💬 0🔄 2⭐ 5
  • Mar 10, 2026, 10:28 AM

    @merill this idiocy looks like something @GrapheneOS will want to respond to. Microsoft doesn't care if the OS has the latest patches, only that it was certified by the duopoly.

    💬 1🔄 4⭐ 5
  • 💬 0🔄 0⭐ 0
  • Mar 10, 2026, 10:39 AM

    @merill

    Well another pretty bad idea. You seem to have quite a streak with those, lately.

    Time to stock up with popcorn and wait for the fallout.

    💬 0🔄 1⭐ 3
  • 💬 0🔄 0⭐ 0
  • 💬 0🔄 1⭐ 4
  • 💬 0🔄 0⭐ 2
  • 💬 0🔄 2⭐ 6
  • Mar 10, 2026, 2:58 PM

    @merill You just told a bunch of power users they either need to either relinquish control of their personal devices or start carrying a second device. Why did you think they'd be anything other than unhappy?

    💬 0🔄 1⭐ 10
  • Mar 10, 2026, 3:54 PM

    @merill The orgs won't allow employees to use anything else, and you know it. Sadly you are not the first to require non rooted devices, but it is still another step back for freedom and privacy. Let us use our general computing pocket device as we wish. Or at least allow orgs to toggle the need for this. Though most will just enable it without question.

    💬 0🔄 0⭐ 5
  • 💬 0🔄 0⭐ 4
  • 💬 0🔄 0⭐ 4
  • Mar 10, 2026, 1:06 PM

    @merill

    Hmm, I would never in my life install any M$ crap on my /e/OS ungoogled Fairphone. It's not rooted, but I guess it's also among the undesirables...

    For authentication to our goddamn work accounts on M$, I use AEGIS. Or the standard authenticator on Linux Mint. Export/Import between the two works like a charm.

    And it could well be that we are moving away from microslob in the not so far future. Unthinkable not so long ago. Halleluja!

    💬 0🔄 1⭐ 3
  • 💬 0🔄 1⭐ 2
  • Mar 10, 2026, 1:26 PM

    @merill I'm gonna go out on a limb here and say that users that jailbreak their own private device wouldn't use MS Authenticator, and on company devices jailbreak wasn't allowed anyway.

    💬 1🔄 0⭐ 0
  • 💬 1🔄 0⭐ 1
  • 💬 1🔄 0⭐ 0
  • 💬 0🔄 0⭐ 0
  • Mar 10, 2026, 1:32 PM

    @merill Blanket bans of any sort implemented by large and powerful companies always produce false positives that hurt non-customer that have to interact with their systems no matter how obliquely.

    I do not use any Microsoft product or services directly but I am sure I will discover ways that this change will affect me. Likely at a moment I need to do something urgently.

    Never forget Scunthorpe!

    en.wikipedia.org/wiki/Scunthor

    💬 0🔄 2⭐ 4
  • Mar 10, 2026, 1:40 PM

    @merill people making a mountain from a molehill? On Mastodon? Never expected it…

    Yes, it’s shitty. But:

    • You can do non-Authenticator passkeys now, from other apps that you can use on non-Android devices
    • If device-bound, Authenticator native passkeys are forced on your work device, you did not had a say in the matter already.
    • If device-bound passkeys are mandated on your personal device, reject the use of work apps on your personal devices and get a security key instead!
    💬 0🔄 0⭐ 0
  • Mar 10, 2026, 1:57 PM

    @merill

    #alttext

    Jailbreak/root detection in Microsoft Authenticator.
    Between Feb to Jul 2026, Microsoft will introduce jailbreak/root detection in Microsoft Authenticator. Rollout will occur in three phases, and complete in July 2026.

    Warn mode:
    Your device is rooted.
    You'll eventually be unable to add or use your work or school accounts on this device.
    This device has been modified to bypass built-in security protections. You can no longer add or use a work or school account on this device
    Contact your organization's support team for help.

    Block mode:
    Your device is rooted.
    You can no longer add or use a work or school account on this device.
    This device has been modified to bypass built-in security protections. You can no longer add or use a work or school account on this device.
    Contact your organization's support team for help.

    Wipe mode:
    Your device is rooted.
    You can no longer add or use a work or school account on this device.
    This device has been modified to bypass built-in security protections.
    Your work or school accounts have been removed from this device to protect your organization's data. Contact your organization's support team for help.

    💬 0🔄 0⭐ 3
  • 💬 1🔄 1⭐ 3
  • 💬 0🔄 0⭐ 2
  • 💬 0🔄 0⭐ 1