Asklemmy

Not a good solution but a decent one. Create a work profile on your phone, using Shelter (Fdroid, open source), and put all your work apps on that. Your data and processes are isolated and you can turn off all your work apps with a single tap. It's like a secondary virtual phone.

Demand hardware tokens for authentication.

The ms authenticator works in 'reverse' in that you type the code on the screen into the phone. I assume this is preferable to corporate as you can't be social engineered into giving out a 2fa token. It also has a "no this wasn't me" button to allow you to (I assume) notify IT if you are getting requests that are not you.

I don't believe that the authenticator app gives them access to anything on your phone? (Happy to learn here) And I think android lets you make some kind of business partition if you feel the need to?

Can you claim that you don't have a smartphone? Then they'd either have to provide an alternative authentication method, or provide you with a phone.

I've been part of the Microsoft Bad crowd for well over 25 years now, but there are a few things that I will concede that MS has done well. Authenticator is one of them. I haven't looked much into the privacy aspect of it, though.

If they want you to use a specific application they need to provide you with everything that is needed for you to run said application.

≥ and force Microsoft Authenticator on the (private) phones of both employees and volunteers.

Refuse to use the service until they provide you with a work appointed phone. Volunteers admitedly have a more difficult time with that but as someone else said you can indeed do text/call options.

You can use Aegis and/or Yubico Authenticator instead, that's what I do.

You're wasting your life trying to fight battles you don't even understand.

Is your company mandating Push Authentication or are you entering 6-digit codes?

If it's the former, MS Authenticator is the only option.

If it's the latter, you can use any TOTP app you like, e.g. Aegis.

Just ask whether they can provide a phone as well.

In my case they didn't disable the option to use any authenticator for 2FA.

So I just use another one.

I don't see why forcing MS Authenticator will be better than any other authenticator.

The person who forces it is for sure not a security expert.

It will be easier to hackers to hack 2FA when they know what the authenticator app is, versus hundreds of different authenticator clients.

You can just use FreeOTP

My company has the same policy

Grab the shelter app from f Droid, add the Play store in shelter, move over to the work side Play store and install the authenticator.

Pause your work apps except for when you need to use the authenticator.

Prosper???

Declare yourself a member of The Church of Emacs and claim your religious rights are being violated.

I managed to get around the MS auth app and am using aegis right now.

I don't really get the rub here, JM all for separating work devices and personal devices but the 2fa apps don't leak any info and the company can't "do" anything to your phone remotely. The apps work in air plane mode. I also want to bet more than half the users that complain about this use the companies free WiFi.

Get a flip phone and say you can't install it, however SMS 2fa is very insecure.

You have the right not to use your personal hardware for work, and the employer must provide the necessary equipment to accomplish your job.

Ask if you could get a hardware token (ie: Yubikey Security Key) instead of using Microsoft Authenticator to fulfill the security requirements. It's low cost and doesn't require a subscription unlike a cellphone plan.

Get a used /cheap phone or tablet, only turn it on or enable wifi when you need the app. Don't use it for anything else. I think that covers all the bases.

I won't allow any MS stuff on any of my devices.

If your company is enforcing geographic location as a security qualifier then MS Authenticator can poll your device. Also you can use push authentication with the MS suite.

What is your concern about installing MS Authenticator.

I mean I can understand the principle of being forced to install anything on your phone.

But just stepping into the practical for a second: What do you worry will happen by installing this app to your phone?

Lots of great conversation here, I also work somewhere where this is required. If I didn't need my phone for access to chat, I just wouldn't use it for work. Alternatively, my phone has a work profile so I use that for any work related or non-FOSS apps. My IT guy even approved of my methods and said do the minimum and never more with tech.

Thanks people, some good replies here. I could demand a work phone, but that's impractical, dragging around two phones etc. I'd like all my 2FA in Aegis and not have to think and pick the right app first, let alone pick and unlock the right phone. The Shelter option is very nice, didn't know about that. If my company won't budge I'm doing that. When push comes to shove I could even use outlook that way on my phone.

when you get the prompt at my work their is an option that says you don't have your phone on you and it leads to the old way of doing it.