Blocking devices which exist outside the identified, appified consumer ecosystem is a feature, not a bug.

It's not *YOUR* device. You're just the user. Even if you also pay for it.

This crap will continue until people want to feel sovereign in their devices and data, and are actually willing to draw red lines about unacceptable practices.

That won't happen. The vast majority of users want their bright, shiny object which controls their device and exfiltrates their data.

Recommendations?

SMS is crApp-free.

also easy to circumvent with SIM swap/clone

I'm less worried about my SIM being swapped or cloned than I am the crApp pushers exfiltrating my private data, selling my location, or committing advertising against me.

Hardware token - Yubikey being the most well known, but there are others.

There is an associated app but all the TOTP seeds are on the token; it has NFC so you can use same TOTP seeds via the phone app.

I started using one a few weeks back and genuinely think its great. When you want to generate a code you have to touch the token to show presence. I leave mine plugged into my PC and the LED blinks when I need to touch it.

There is a good chance you were not backing up the Authenticator app seeds, so loss of the token is the same situation as loss of phone now.

Does other stuff too but whatever

Ask employer to buy you a device for work.

You might have to carry 2 (but having work and personal data on teh same device is generally not a great idea, especially in big companies).

Or just use an onld 2G phone, none of the app-crapp works obiously, so you do not even need to explain 'complex things' to your boss/manager can't understand.

> Ask employer to buy you a device for work.

It speaks volumes about management's mindset when they expect employees to opt-in to the spyware app ecosystem on a personal device.

This is a litmus test. If management expects an employee to infect their personal device, because they don't want to provide a work device, then that employee should think long and hard about whether they're building their career with the right company.

My new employer want's me to install their app via sideloading! And then grant permissions to allow that base app to install extra modules FFS!

"more than 580,000 employees, trusted and use the ******** authenticator. The apps have gone through security testing, check, compliance etc., and I have not heard of any security breach due to the Authenticator application."

There never is an issue until the first time.

My employer tried for months and months to get me on Microsoft Authenticator on a personal device. I just politely let them know over and over that my personal phone is a flip phone / can't install apps, and the other devices I have are too old and don't meet the minimum requirements. How are they going to prove otherwise?

Using a dedicated 2G or 3G phone as a work phone in Australia has real merit. ;)

Certainly make for a quieter life since 2G, 3G networks (and recently non-VoLTE 4G) have been decommissioned for quite a while.

I miss my Nokia Asha 300 which I did use for work until 3G was pulled. Still have the handset.

The maker of one single app is going to allow itself to wipe your phone if it doesn't like what it sees ?

Under what authority ?

Why do we put up with this bullshit ?

The maker of one single app is going to allow itself to wipe your phone if it doesn't like what it sees ?

As I read it this piece of Microslop shit doesn't wipe your phone or its arse; it just erases the stored credentials (and configurations?) for any work or educational Microslop account.

Perhaps a case of 'Render unto Caesar' — fine as long as the empire provides the device to be rendered unto.

No, the maker of app that handles MFA, will allow said app to wipe saved credentials for said Maker's authentication platform, mostly used to access resources hosted by said Maker.

I'm not saying it's right or wrong.

I'd have thought it belongs to the owner of the device, it exists on the device only as a result of the owner using the app to create it, same as using, say, a text editor to create a text file.

In which case, surely it'd be illegal (at least in UK) for MS to delete it.

Of course, MS is welcome to disable the account at the other end, then it's up to the organization's IT to sort out the MS-created mess.

So glad I've almost finished migrating all my stuff off MS, goodbye O365, no more revenue for MS, hello Proton and Libre office.

and wipes a phone that is not jailbroken or rooted?

Do they save the Authenticator data in the cloud first or are they assuming no one will sue?