[AMENDMENT] 2FA Authentication

[cjramseyer]

2-factor-authentication

Amendments

The curated list of authenticators should also include the Microsoft Authenticator. It is required for use with Microsoft accounts and Azure (Entra) AD anyway, can be secured, and serves very well for TOTP for other accounts. It also provides backup in case of a lost or stolen primary device.

It would be fair to argue that including MS Authenticator, Google Authenticator should also be on the list. It can servere the same purpose (though only a requirement for google accounts). It suffers several limitations. No security, if your device is unlocked, the TOTP codes within are plainly visible. It doesn't actually get backed up, and there are no options for this. If device is lost or stolen, it may not be possible to recover it. This is very dangerous, given that 2FA/MFA should be enabled anywhere it is offered, even if that is only SMS (better than nothing).

Association Disclosure

I use MS Authenticator to have everything except google in a single secure app

Would you like to submit a PR?

Maybe?

Please tick the boxes

• [X] You have filled out this form accurately, and to the best of your knowledge
• [X] You have indicated whether or not you are associated with the project the amendment refers to
• [X] A similar submission has not already been opened for this software / service
• [X] You agree to the code of conduct

[liss-bot]

If you're enjoying Awesome-Privacy, consider dropping us a ⭐
_{🤖 I'm a bot, and this message was automated}

[cjramseyer]

Is this going to be reviewed, acted upon, responded to?

[Lissy93]

I would probably argue against adding Microsoft + Google Authenticator, for the primary reason that neither are privacy-respecting.

(I think this comes back to the age old privacy vs security debate. Sure securing your Microsoft account with Microsoft Authenticator is secure, but it is not private.)

It is required for use with Microsoft accounts and Azure (Entra) AD anyway, can be secured, and serves very well for TOTP for other accounts

You can also use any U2F application to secure your Microsoft account, same with Google. They try to push you to use theirs, but if you click that tiny "use a different app" button, then you can use whatever authenticator you like.

everything except google in a single secure app

---

Same goes for Google. You can use any authenticator app with your Google account, even if you click the Google auth button, it will show you a standard U2F QR code

[cjramseyer]

Google Authenticator is definitely not secure. However, the same cannot be said about Microsoft Authenticator. The authenticator can be secured to require pin, fingerprint to open.

On February 25, 2024 7:59:36 PM Alicia Sykes @.***> wrote:

I would probably argue against adding Microsoft + Google Authenticator, for the primary reason that neither are privacy-respecting.

(I think this comes back to the age old privacy vs security debate. Sure securing your Microsoft account with Microsoft Authenticator is secure, but it is not private.)

You can also use any U2F application to secure your Microsoft account, same with Google. They try to push you to use theirs, but if you click that tiny "more security options" button, then you can use whatever authenticator you like.

image.png (view on web)https://github.com/Lissy93/awesome-privacy/assets/1862727/bb6be328-ae9a-4520-b3c5-e29536f6b0f0

— Reply to this email directly, view it on GitHubhttps://github.com/Lissy93/awesome-privacy/issues/189#issuecomment-1963142918, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ALTPMBGHCYLQMNDOILFFYSTYVPM7HAVCNFSM6AAAAAA534FJNWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRTGE2DEOJRHA. You are receiving this because you authored the thread.Message ID: @.***>

[Lissy93]

But Microsoft Authenticator is not private. This repo lists privacy-respecting software and services.

[cjramseyer]

Please provide some background why you think that MS Authenticator isn't privacy respecting.

On February 26, 2024 8:52:46 AM Alicia Sykes @.***> wrote:

But Microsoft Authenticator is not private. This repo lists privacy-respecting software and services.

— Reply to this email directly, view it on GitHubhttps://github.com/Lissy93/awesome-privacy/issues/189#issuecomment-1964198482, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ALTPMBGQIITAZ6HHTAJMZZTYVSHSVAVCNFSM6AAAAAA534FJNWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRUGE4TQNBYGI. You are receiving this because you authored the thread.Message ID: @.***>

[cjramseyer]

If you are suggesting MS Authenticator isn't "private" because it connects to the internet, then that suggests only using TOTP, which wouldn't require an internet connection. But MS Authenticator is so much more than that.

[Lissy93]

I'm not sure if you're trolling me, or if it's a genuine question. But I'll treat this as a serious question, and try and outline the top privacy concerns with Microsoft Authenticator. I hope this helps, and do let me know if you'd like clarification on any of these points.

1. Permissions

The app requests a total of 34 permissions, the vast majority of which are overly invasive and should not be required given the functionality of the application.

Source: Exodus Scan

Some examples of such permissions include:

• ACCESS_BACKGROUND_LOCATION - Access location in the background / while the app is not open
• ACCESS_FINE_LOCATION - Access precise location
• READ_EXTERNAL_STORAGE - Read the contents of your external storage
• ACCESS_NETWORK_STATE - View devices network connections
• KILL_BACKGROUND_PROCESSES - Close other applications, not associated with MS authenticator
• REQUEST_IGNORE_BATTERY_OPTIMIZATIONS - Keep Microsoft authenticator running, even when user has battery optimization enabled
• SYSTEM_ALERT_WINDOW - Allow microsoft authenticator to appear on top of any other application
• WAKE_LOCK - Prevent device from sleeping

---

2. Trackers

For something as important as your authenticator app, you would expect there to be minimal trackers. But that's not the case with Microsoft Authenticator. It contains 5 such data collection trackers, each of which has their own worrying privacy policy

This includes:

• Google Analytics
• Google Firebase Analytics
• Microsoft Visual Studio App Center Analytics
• Microsoft Visual Studio App Center Crashes
• OpenTelemetry (incl OpenCensus and OpenTracing)

---

3. Privacy Policy

A skim through the their privacy pages, reveals some worrying statements

Source: Microsoft's privacy policy

• This service may collect, use, and share location data
• Third-party cookies are used for advertising
• Many different types of personal data are collected
• The service can delete your account without prior notice and without a reason
• You waive your right to a class action.
• This service forces users into binding arbitration in the case of disputes
• Voice data is collected and shared with third-parties
• You are being tracked via social media cookies/pixels
• You are tracked via web beacons, tracking pixels, browser fingerprinting and device fingerprinting
• No promise to inform of government requests
• Many third parties are involved in operating the service
• This service gathers information about you through third parties
• Microsoft may remotely disabled software you are not licensed to use
• This service may use your personal information for marketing purposes
• Your profile is combined across various products
• This service receives your precise location through GPS coordinates
• This service gives your personal data to third parties involved in its operation
• Your personal data is used for advertising
• Your data may be processed and stored anywhere in the world
• Third-party cookies are used for statistics

---

Anti-Features

Microsoft Authenticator comes with several "anti-features" which are detrimental to the privacy of the users. These include, but are not limited to:

• Device registration - If completed, this will allow the users employer / work org to track sensitive user info, including location, device pickups/unlocks, files and other installed applications
• Backups are only protected with the users account, and are not encrypted with an additional passphase. This means that Microsoft can access your OTP seeds, and if you're account is ever compromised then so can an attacker
• No seed export - You're effectively locked into Microsoft Authenticator, as they do not allow you to export your raw seed tokens.
• There is physically no way to delete your data. Once you give it to Microsoft, there's no going back
• Reliance on Microsoft account, as well as the need for Google Play Services for Android, and iCloud for iOS. Meaning there is no way that you can use Microsoft Authenticator on a private device (like a custom ROM) - it must be either Google Android or Apple iOS, nothing else.
• Not available on F-Droid, meaning for Android users you're forced to use Google Play
• The application is not open source

---

External Data Requests

Upon installing on a fresh emulator, within the first 60 seconds, Microsoft Authenticator made 306 HTTP requests to 18 different domains. Many of these included payloads containing much more data than should be reasonably necessary, including sensitive user and device info. It seems the app has little to no respect for the user's privacy.

---

General Quality

The app is extremely bloated, such a simple application should not need to be over 200mb. After installation, you'll see it consuming upwards of 500mb of RAM, often while just running in the background. This should not be necessary

---

TL;DR: Microsoft Authenticator falls short of privacy standards due to its excessive permissions, embedded trackers, and invasive privacy policy, allowing extensive user data collection and sharing. It does not put the user in control of their own data. Its reliance on big tech platforms and lack of open-source availability further betray a lack of commitment to user privacy.

Further Links:

• https://reports.exodus-privacy.eu.org/en/reports/com.azure.authenticator/latest/
• https://tosdr.org/en/service/244
• https://www.reddit.com/r/privacy/comments/cnrf3y/my_employer_is_going_to_force_me_to_use_microsoft/

[cjramseyer]

This is not trolling. I appreciate that you listed those concerns. Do you understand the purpose of those permissions?

Background and fine location are necessary for Azure Conditional Access policy and preventing login from a different location than where you are currently. This is called impossible travel detection. For example, you legitimately login from some where New Jersey USA, then 10 minutes later an attempt to login from London England. In this example, the London attempt would simply be denied because it obviously isn't possible to travel from New Jersey to London in 10 minutes. That's how location is used.

External storage is necessary to support copy and paste of tokens. This is just the clipboard. I'd agree you could argue that this should be able to be disabled within the app, but you can disable this permission if necessary.

View device network connections is necessary because Azure makes Auth approval notifications to the device

Kill background processes prevents other apps from gaining access to MS Authenticator.

The last 3 are very self explanatory.

The telemetry can be disabled within the app.

If you don't want to be tracked then get rid of your smart devices (phones and tablets) and all of your social media. MS Authenticator is the least of your worries.

MS Authenticator doesn't use or display ads. If you don't want ad tracking, see previous comment.

While I respect your concern about permissions, many of these can be disabled on your mobile device by the user. That said, it doesn't change the fact that MS Authenticator is a valid option for MFA for use with HA.

On February 27, 2024 10:10:46 AM Alicia Sykes @.***> wrote:

I'm not sure if you're trolling me, or if it's a genuine question. But I'll treat this as a serious question, and try and outline the top privacy concerns with Microsoft Authenticator. I hope this helps, and do let me know if you'd like clarification on any of these points.

1. Microsoft Authenticator Trackers

The app requests a total of 34 permissions, the vast majority of which are overly invasive and should not be required given the functionality of the application.

Source: Exodus Scanhttps://reports.exodus-privacy.eu.org/en/reports/com.azure.authenticator/latest/

Some examples of such permissions include:

• ACCESS_BACKGROUND_LOCATION - Access location in the background / while the app is not open
• ACCESS_FINE_LOCATION - Access precise location
• READ_EXTERNAL_STORAGE - Read the contents of your external storage
• ACCESS_NETWORK_STATE - View devices network connections
• KILL_BACKGROUND_PROCESSES - Close other applications, not associated with MS authenticator
• REQUEST_IGNORE_BATTERY_OPTIMIZATIONS - Keep Microsoft authenticator running, even when user has battery optimization enabled
• SYSTEM_ALERT_WINDOW - Allow microsoft authenticator to appear on top of any other application
• WAKE_LOCK - Prevent device from sleeping

---

2. Trackers

For something as important as your authenticator app, you would expect there to be minimal trackers. But that's not the case with Microsoft Authenticator. It contains 5 such data collection trackers, each of which has their own worrying privacy policy

This includes:

• Google Analytics
• Google Firebase Analytics
• Microsoft Visual Studio App Center Analytics
• Microsoft Visual Studio App Center Crashes
• OpenTelemetry (incl OpenCensus and OpenTracing)

---

3. Privacy Policy

A skim through the their privacy pages, reveals some worrying statements

Source: Microsoft's privacy policyhttps://privacy.microsoft.com/en-gb/privacystatement

• This service may collect, use, and share location data
• Third-party cookies are used for advertising
• Many different types of personal data are collected
• The service can delete your account without prior notice and without a reason
• You waive your right to a class action.
• This service forces users into binding arbitration in the case of disputes
• Voice data is collected and shared with third-parties
• You are being tracked via social media cookies/pixels
• You are tracked via web beacons, tracking pixels, browser fingerprinting and device fingerprinting
• No promise to inform of government requests
• Many third parties are involved in operating the service
• This service gathers information about you through third parties
• Microsoft may remotely disabled software you are not licensed to use
• This service may use your personal information for marketing purposes
• Your profile is combined across various products
• This service receives your precise location through GPS coordinates
• This service gives your personal data to third parties involved in its operation
• Your personal data is used for advertising
• Your data may be processed and stored anywhere in the world
• Third-party cookies are used for statistics

---

Anti-Features

Microsoft Authenticator comes with several "anti-features" which are detrimental to the privacy of the users. These include, but are not limited to:

• Device registration - If completed, this will allow the users employer / work org to track sensitive user info, including location, device pickups/unlocks, files and other installed applications
• Backups are only protected with the users account, and are not encrypted with an additional passphase. This means that Microsoft can access your OTP seeds, and if you're account is ever compromised then so can an attacker
• No seed export - You're effectively locked into Microsoft Authenticator, as they do not allow you to export your raw seed tokens.
• There is physically no way to delete your data. Once you give it to Microsoft, there's no going back
• Reliance on Microsoft account, as well as the need for Google Play Services for Android, and iCloud for iOS. Meaning there is no way that you can use Microsoft Authenticator on a private device (like a custom ROM) - it must be either Google Android or Apple iOS, nothing else.
• Not available on F-Droid, meaning for Android users you're forced to use Google Play
• The application is not open source

---

External Data Requests

Upon installing on a fresh emulator, within the first 60 seconds, Microsoft Authenticator made 306 HTTP requests to 18 different domains. Many of these included payloads containing much more data than should be reasonably necessary, including sensitive user and device info. It seems the app has little to no respect for the user's privacy.

---

General Quality

The app is extremely bloated, such a simple application should not need to be over 200mb. After installation, you'll see it consuming upwards of 500mb of RAM, often while just running in the background. This should not be necessary

---

TL;DR: Microsoft Authenticator falls short of privacy standards due to its excessive permissions, embedded trackers, and invasive privacy policy, allowing extensive user data collection and sharing. It does not put the user in control of their own data. Its reliance on big tech platforms and lack of open-source availability further betray a lack of commitment to user privacy.

Further Links:

• https://reports.exodus-privacy.eu.org/en/reports/com.azure.authenticator/latest/
• https://tosdr.org/en/service/244
• https://www.reddit.com/r/privacy/comments/cnrf3y/my_employer_is_going_to_force_me_to_use_microsoft/

— Reply to this email directly, view it on GitHubhttps://github.com/Lissy93/awesome-privacy/issues/189#issuecomment-1966773356, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ALTPMBCLCHEQPEINN3ROQ53YVXZPBAVCNFSM6AAAAAA534FJNWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRWG43TGMZVGY. You are receiving this because you authored the thread.Message ID: @.***>

[Lissy93]

With all due respect, I think you're misunderstanding the purpose of this repository. Big tech companies (like Microsoft) have no little or no respect users' privacy. The objective of this repository is to list open source alternatives to these applications and services.

If you compare Microsoft Authenticator to the other 2FA apps we've got listed, you'll see that all the others are:

• Open source
• Don't contain trackers
• Allow users to import/export their seeds
• Enable users to delete their data if they wish
• Do not require Google Play to download or use or Android
• Do not have excess invasive permissions
• Do not log, sell or share personal data
• Are not bloated (they're all 1/8th the size of MS authenticator)
• And none of them force you to have an account or be connected to the internet

If you'd like to learn more about the criteria we use to decide which apps can be included on our list, please reference the Requirements section of our docs. Just to re-iterate once again, Microsoft Authenticator does not meet our criteria.

For the reasons I listed in my previous comment, Microsoft Authenticator cannot be considered privacy-respecting, and wouldn't be an appropriate fit for this list. As such, I'm going to close of this ticket now.

[Lissy93]

And in answer to your question,

Do you understand the purpose of those permissions?

Yes, of course I do! 😉