So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose “any authenticator” and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it’s demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?
To break TOTP, the attacker would need to have the victim open up a phishing page. If someone enters their password at fakegoogle.com, they’ll also enter their TOTP tokens. TOTP only protects against your password leaking.
Microsoft Authenticator has a bunch of security checks, like checking if your device is in the same physical vicinity.
The current iteration of the app is moving to leveraging passkeys, something not just Microsoft can do. For businesses, there are still good reasons to use MS authenticator passkeys (control over policies like requiring passkey devices with certain security updates), but in practice I find a lot of 2FA passkey implementations sorely lacking at the moment. Scanning a QR code on your phone is annoying, even if it is phishing resistant.
If it is just the location, then it could be spoofed.
If it is something that requires physical presence, then you need both devices to communicate with each other. If it is not done via QR code (like some online banking do), then both devices need to be connected, e.g. via WiFi or Bluetooth. In this case, if an attacker controls one of the devices (that’s the class of attacks 2FA should prevent you from), the attacker probably controls both devices. So what’s the point then?