Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[AMENDMENT] 2FA Authentication - Microsoft Authenticator #189

Closed
4 tasks done
cjramseyer opened this issue Oct 11, 2023 · 12 comments
Closed
4 tasks done

[AMENDMENT] 2FA Authentication - Microsoft Authenticator #189

cjramseyer opened this issue Oct 11, 2023 · 12 comments
Assignees

Comments

@cjramseyer
Copy link

cjramseyer commented Oct 11, 2023

2-factor-authentication

Amendments

The curated list of authenticators should also include the Microsoft Authenticator.
It is required for use with Microsoft accounts and Azure (Entra) AD anyway, can be secured, and serves very well for TOTP for other accounts. It also provides backup in case of a lost or stolen primary device.

It would be fair to argue that including MS Authenticator, Google Authenticator should also be on the list. It can servere the same purpose (though only a requirement for google accounts).
It suffers several limitations. No security, if your device is unlocked, the TOTP codes within are plainly visible. It doesn't actually get backed up, and there are no options for this. If device is lost or stolen, it may not be possible to recover it. This is very dangerous, given that 2FA/MFA should be enabled anywhere it is offered, even if that is only SMS (better than nothing).

Association Disclosure

I use MS Authenticator to have everything except google in a single secure app

Would you like to submit a PR?

Maybe?

Please tick the boxes

  • You have filled out this form accurately, and to the best of your knowledge
  • You have indicated whether or not you are associated with the project the amendment refers to
  • A similar submission has not already been opened for this software / service
  • You agree to the code of conduct
@liss-bot
Copy link
Collaborator

If you're enjoying Awesome-Privacy, consider dropping us a ⭐

🤖 I'm a bot, and this message was automated

@cjramseyer
Copy link
Author

Is this going to be reviewed, acted upon, responded to?

@Lissy93
Copy link
Owner

Lissy93 commented Feb 26, 2024

I would probably argue against adding Microsoft + Google Authenticator, for the primary reason that neither are privacy-respecting.

(I think this comes back to the age old privacy vs security debate. Sure securing your Microsoft account with Microsoft Authenticator is secure, but it is not private.)

It is required for use with Microsoft accounts and Azure (Entra) AD anyway, can be secured, and serves very well for TOTP for other accounts

You can also use any U2F application to secure your Microsoft account, same with Google. They try to push you to use theirs, but if you click that tiny "use a different app" button, then you can use whatever authenticator you like.

image

everything except google in a single secure app


Same goes for Google. You can use any authenticator app with your Google account, even if you click the Google auth button, it will show you a standard U2F QR code

image

@cjramseyer
Copy link
Author

cjramseyer commented Feb 26, 2024 via email

@Lissy93
Copy link
Owner

Lissy93 commented Feb 26, 2024

But Microsoft Authenticator is not private.
This repo lists privacy-respecting software and services.

@cjramseyer
Copy link
Author

cjramseyer commented Feb 27, 2024 via email

@cjramseyer
Copy link
Author

If you are suggesting MS Authenticator isn't "private" because it connects to the internet, then that suggests only using TOTP, which wouldn't require an internet connection. But MS Authenticator is so much more than that.

@Lissy93
Copy link
Owner

Lissy93 commented Feb 27, 2024

I'm not sure if you're trolling me, or if it's a genuine question. But I'll treat this as a serious question, and try and outline the top privacy concerns with Microsoft Authenticator. I hope this helps, and do let me know if you'd like clarification on any of these points.

1. Permissions

The app requests a total of 34 permissions, the vast majority of which are overly invasive and should not be required given the functionality of the application.

Source: Exodus Scan

Some examples of such permissions include:

  • ACCESS_BACKGROUND_LOCATION - Access location in the background / while the app is not open
  • ACCESS_FINE_LOCATION - Access precise location
  • READ_EXTERNAL_STORAGE - Read the contents of your external storage
  • ACCESS_NETWORK_STATE - View devices network connections
  • KILL_BACKGROUND_PROCESSES - Close other applications, not associated with MS authenticator
  • REQUEST_IGNORE_BATTERY_OPTIMIZATIONS - Keep Microsoft authenticator running, even when user has battery optimization enabled
  • SYSTEM_ALERT_WINDOW - Allow microsoft authenticator to appear on top of any other application
  • WAKE_LOCK - Prevent device from sleeping

2. Trackers

For something as important as your authenticator app, you would expect there to be minimal trackers. But that's not the case with Microsoft Authenticator. It contains 5 such data collection trackers, each of which has their own worrying privacy policy

This includes:

  • Google Analytics
  • Google Firebase Analytics
  • Microsoft Visual Studio App Center Analytics
  • Microsoft Visual Studio App Center Crashes
  • OpenTelemetry (incl OpenCensus and OpenTracing)

3. Privacy Policy

A skim through the their privacy pages, reveals some worrying statements

Source: Microsoft's privacy policy

  • This service may collect, use, and share location data
  • Third-party cookies are used for advertising
  • Many different types of personal data are collected
  • The service can delete your account without prior notice and without a reason
  • You waive your right to a class action.
  • This service forces users into binding arbitration in the case of disputes
  • Voice data is collected and shared with third-parties
  • You are being tracked via social media cookies/pixels
  • You are tracked via web beacons, tracking pixels, browser fingerprinting and device fingerprinting
  • No promise to inform of government requests
  • Many third parties are involved in operating the service
  • This service gathers information about you through third parties
  • Microsoft may remotely disabled software you are not licensed to use
  • This service may use your personal information for marketing purposes
  • Your profile is combined across various products
  • This service receives your precise location through GPS coordinates
  • This service gives your personal data to third parties involved in its operation
  • Your personal data is used for advertising
  • Your data may be processed and stored anywhere in the world
  • Third-party cookies are used for statistics

Anti-Features

Microsoft Authenticator comes with several "anti-features" which are detrimental to the privacy of the users. These include, but are not limited to:

  • Device registration - If completed, this will allow the users employer / work org to track sensitive user info, including location, device pickups/unlocks, files and other installed applications
  • Backups are only protected with the users account, and are not encrypted with an additional passphase. This means that Microsoft can access your OTP seeds, and if you're account is ever compromised then so can an attacker
  • No seed export - You're effectively locked into Microsoft Authenticator, as they do not allow you to export your raw seed tokens.
  • There is physically no way to delete your data. Once you give it to Microsoft, there's no going back
  • Reliance on Microsoft account, as well as the need for Google Play Services for Android, and iCloud for iOS. Meaning there is no way that you can use Microsoft Authenticator on a private device (like a custom ROM) - it must be either Google Android or Apple iOS, nothing else.
  • Not available on F-Droid, meaning for Android users you're forced to use Google Play
  • The application is not open source

External Data Requests

Upon installing on a fresh emulator, within the first 60 seconds, Microsoft Authenticator made 306 HTTP requests to 18 different domains. Many of these included payloads containing much more data than should be reasonably necessary, including sensitive user and device info. It seems the app has little to no respect for the user's privacy.


General Quality

The app is extremely bloated, such a simple application should not need to be over 200mb. After installation, you'll see it consuming upwards of 500mb of RAM, often while just running in the background. This should not be necessary


TL;DR: Microsoft Authenticator falls short of privacy standards due to its excessive permissions, embedded trackers, and invasive privacy policy, allowing extensive user data collection and sharing. It does not put the user in control of their own data. Its reliance on big tech platforms and lack of open-source availability further betray a lack of commitment to user privacy.

Further Links:

@cjramseyer
Copy link
Author

cjramseyer commented Feb 27, 2024 via email

@Lissy93
Copy link
Owner

Lissy93 commented Feb 27, 2024

With all due respect, I think you're misunderstanding the purpose of this repository.
Big tech companies (like Microsoft) have no little or no respect users' privacy.
The objective of this repository is to list open source alternatives to these applications and services.

If you compare Microsoft Authenticator to the other 2FA apps we've got listed, you'll see that all the others are:

  • Open source
  • Don't contain trackers
  • Allow users to import/export their seeds
  • Enable users to delete their data if they wish
  • Do not require Google Play to download or use or Android
  • Do not have excess invasive permissions
  • Do not log, sell or share personal data
  • Are not bloated (they're all 1/8th the size of MS authenticator)
  • And none of them force you to have an account or be connected to the internet

If you'd like to learn more about the criteria we use to decide which apps can be included on our list, please reference the Requirements section of our docs. Just to re-iterate once again, Microsoft Authenticator does not meet our criteria.

For the reasons I listed in my previous comment, Microsoft Authenticator cannot be considered privacy-respecting, and wouldn't be an appropriate fit for this list. As such, I'm going to close of this ticket now.

@Lissy93
Copy link
Owner

Lissy93 commented Feb 27, 2024

And in answer to your question,

Do you understand the purpose of those permissions?

Yes, of course I do! 😉

@Lissy93 Lissy93 pinned this issue Sep 28, 2024
@Lissy93 Lissy93 changed the title [AMENDMENT] 2FA Authentication [AMENDMENT] 2FA Authentication - Microsoft Authenticator Sep 28, 2024
@Lissy93
Copy link
Owner

Lissy93 commented Sep 28, 2024

I'm going to close this for now, because Microsoft Authenticator does not currently meet the privacy requirements to be included in this list (as documented here).

If anything changes, drop a comment and I will re-look into it.

@Lissy93 Lissy93 closed this as completed Sep 28, 2024
@SadMadLad SadMadLad unpinned this issue Sep 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants