Skip Navigation

InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)E

englislanguage

@ englislanguage @lemmy.sdf.org

Posts
0
Comments
78
Joined
2 yr. ago

  • Can I refuse MS Authenticator?

    Jump

  • How would MS Authenticator make it any better than TOTP?

    To break TOTP, the attacker would need to:

    a) be able to observe the initial exchange of the TOTP secrets. To do that, the attacker needs access to the victim's computer (on user level) at that specific time they set up TOTP. TOTP is a TOFU concept and thus not designed to protect against that. However, if the attacker controls the victim's computer at that time, the victim is screwed anyways even before setting up 2FA.

    b) have access to the TOTP app's secret storage and to the victim's login credentials (e.g. by phishing). If the attacker can gain that level of access, they would also have access to the Microsoft Authenticator's secret storage, so there is no benefit of the Microsoft app.

    On the other hand, Microsoft Authenticator is a very huge app (>100MB is huge for an authenticator app, Aegis is just 6MB, FreeOTP+ 11MB), i.e. it brings a large attack surface, especially by connecting to the internet.

    I don't think Microsoft Authenticator brings security benefits over a clean and simple TOTP implementation.

  • Can I refuse MS Authenticator?

    Jump

  • If it is just TOTP, you can use any other TOTP app, such as Aegis or FreeOTP+.

    And no, Microsoft cannot be trusted on not doing anything bad. The app is full of trackers and has an excessive list of permissions it "requires".

    For comparison, Aegis and FreeOTP+ work without trackers and way less permissions.

    Microsoft has a long track record of leaks. Just naming the 2 most prominent:

    1. Microsoft Edge leaks every single URL to Microsoft servers (source)
    2. There are lots of reports that Microsoft had their general key stolen and not even notify it for months. It is unclear who had acces to that key. This is putting anyone at risk who uses any Microsoft product. (See for example here)

  • Can I refuse MS Authenticator?

    Jump

  • Are you forced to use their app or are they just very insistently trying to trick you into using it? I.e., have you tried with Bitwarden or any other TOTP capable app?

  • Can I refuse MS Authenticator?

    Jump

  • It might depend on configuration. In the only case of Microsoft enforced 2FA I know of, it is just TOTP. Microsoft's web interface nudges (tries to trick) you into using the MS Authenticator app, but that app is not needed. You can use any TOTP capable 2FA app, e.g. Aegis or FreeOTP+, both of which are also available through F-Droid and don't require internet connection.

  • Can I refuse MS Authenticator?

    Jump

  • "Diplomjodler" sounds German so probably different laws apply…

  • Simple FOSS GUI for Python

    Jump

  • With Gtk, I have seen some issues with rarely used parts of the API, but that should not be relevant to your rather simple use case.

  • mood

    Jump

  • Works without wine too.

  • Happened to me multiple times

    Jump

  • Mostly minor improvement, such as the fossify phone app grouping by date in the call history

  • Deleted

    Germany has too many solar panels, and it's pushed energy prices into negative territory

    Jump
  • Deleted

    Germany has too many solar panels, and it's pushed energy prices into negative territory

    Jump

  • Yeah, negative prices finally incentivize storage technologies such as battery storage.

  • Male birth control breakthrough safely switches off fit sperm for a while

    Jump

  • Has anyone heard about the andro-switch ring before? It is supposed to work without taking any pills and be free of side effects (except for carrying a silicone ring around the testicles). https://www.medscape.com/viewarticle/986261

  • The War Is Shifting Europe’s Politics Away From Israel

    Jump

  • This might be true for Netanjahu and some right-wing groups, but not for the population or country in general. There are lots of people in Israel, including lots of Jews, who oppose any violence against other groups, especially inhabitants of Gaza and the West Bank.

  • Linux Inventor Says He Doesn’t Believe in Crypto

    Jump

  • I guess I'm getting old then 😜

  • Some are though.

    Jump

  • EU's Green Deal improved its climate performance: a 1.5°C pathway is close

    Jump

  • Linux Inventor Says He Doesn’t Believe in Crypto

    Jump

  • Yeah, that headline is very misleading. Crypto(graphy) is essential for the digital world to exist whereas the other stuff is a pyramid & money laundering scheme.

  • Linux Inventor Says He Doesn’t Believe in Crypto

    Jump

  • Cryptocurrencies in general are not anonymous. There might be exceptions, but all I've seen is pseudonymity. And an eternal backlog of every transaction ever, i.e., if your identity gets revealed for a single transaction, it will get you revealed for every transaction you ever did.