liss-bot
commented
11 months ago If you're enjoying Awesome-Privacy, consider dropping us a ⭐
🤖 I'm a bot, and this message was automated
Open cjramseyer opened 11 months ago
liss-bot
commented
11 months ago If you're enjoying Awesome-Privacy, consider dropping us a ⭐
🤖 I'm a bot, and this message was automated
cjramseyer
commented
10 months ago Is this going to be reviewed, acted upon, responded to?
Lissy93
commented
7 months ago I would probably argue against adding Microsoft + Google Authenticator, for the primary reason that neither are privacy-respecting.
(I think this comes back to the age old privacy vs security debate. Sure securing your Microsoft account with Microsoft Authenticator is secure, but it is not private.)
It is required for use with Microsoft accounts and Azure (Entra) AD anyway, can be secured, and serves very well for TOTP for other accounts
You can also use any U2F application to secure your Microsoft account, same with Google. They try to push you to use theirs, but if you click that tiny "use a different app" button, then you can use whatever authenticator you like.
everything except google in a single secure app
Same goes for Google. You can use any authenticator app with your Google account, even if you click the Google auth button, it will show you a standard U2F QR code
cjramseyer
commented
7 months ago Google Authenticator is definitely not secure. However, the same cannot be said about Microsoft Authenticator. The authenticator can be secured to require pin, fingerprint to open.
On February 25, 2024 7:59:36 PM Alicia Sykes @.***> wrote:
I would probably argue against adding Microsoft + Google Authenticator, for the primary reason that neither are privacy-respecting.
(I think this comes back to the age old privacy vs security debate. Sure securing your Microsoft account with Microsoft Authenticator is secure, but it is not private.)
You can also use any U2F application to secure your Microsoft account, same with Google. They try to push you to use theirs, but if you click that tiny "more security options" button, then you can use whatever authenticator you like.
image.png (view on web)https://github.com/Lissy93/awesome-privacy/assets/1862727/bb6be328-ae9a-4520-b3c5-e29536f6b0f0
— Reply to this email directly, view it on GitHubhttps://github.com/Lissy93/awesome-privacy/issues/189#issuecomment-1963142918, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ALTPMBGHCYLQMNDOILFFYSTYVPM7HAVCNFSM6AAAAAA534FJNWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRTGE2DEOJRHA. You are receiving this because you authored the thread.Message ID: @.***>
Lissy93
commented
7 months ago But Microsoft Authenticator is not private. This repo lists privacy-respecting software and services.
cjramseyer
commented
7 months ago Please provide some background why you think that MS Authenticator isn't privacy respecting.
On February 26, 2024 8:52:46 AM Alicia Sykes @.***> wrote:
But Microsoft Authenticator is not private. This repo lists privacy-respecting software and services.
— Reply to this email directly, view it on GitHubhttps://github.com/Lissy93/awesome-privacy/issues/189#issuecomment-1964198482, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ALTPMBGQIITAZ6HHTAJMZZTYVSHSVAVCNFSM6AAAAAA534FJNWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRUGE4TQNBYGI. You are receiving this because you authored the thread.Message ID: @.***>
cjramseyer
commented
7 months ago If you are suggesting MS Authenticator isn't "private" because it connects to the internet, then that suggests only using TOTP, which wouldn't require an internet connection. But MS Authenticator is so much more than that.
Lissy93
commented
7 months ago I'm not sure if you're trolling me, or if it's a genuine question. But I'll treat this as a serious question, and try and outline the top privacy concerns with Microsoft Authenticator. I hope this helps, and do let me know if you'd like clarification on any of these points.
The app requests a total of 34 permissions, the vast majority of which are overly invasive and should not be required given the functionality of the application.
Source: Exodus Scan
Some examples of such permissions include:
For something as important as your authenticator app, you would expect there to be minimal trackers. But that's not the case with Microsoft Authenticator. It contains 5 such data collection trackers, each of which has their own worrying privacy policy
This includes:
A skim through the their privacy pages, reveals some worrying statements
Source: Microsoft's privacy policy
Microsoft Authenticator comes with several "anti-features" which are detrimental to the privacy of the users. These include, but are not limited to:
Upon installing on a fresh emulator, within the first 60 seconds, Microsoft Authenticator made 306 HTTP requests to 18 different domains. Many of these included payloads containing much more data than should be reasonably necessary, including sensitive user and device info. It seems the app has little to no respect for the user's privacy.
The app is extremely bloated, such a simple application should not need to be over 200mb. After installation, you'll see it consuming upwards of 500mb of RAM, often while just running in the background. This should not be necessary
TL;DR: Microsoft Authenticator falls short of privacy standards due to its excessive permissions, embedded trackers, and invasive privacy policy, allowing extensive user data collection and sharing. It does not put the user in control of their own data. Its reliance on big tech platforms and lack of open-source availability further betray a lack of commitment to user privacy.
Further Links:
cjramseyer
commented
7 months ago This is not trolling. I appreciate that you listed those concerns. Do you understand the purpose of those permissions?
Background and fine location are necessary for Azure Conditional Access policy and preventing login from a different location than where you are currently. This is called impossible travel detection. For example, you legitimately login from some where New Jersey USA, then 10 minutes later an attempt to login from London England. In this example, the London attempt would simply be denied because it obviously isn't possible to travel from New Jersey to London in 10 minutes. That's how location is used.
External storage is necessary to support copy and paste of tokens. This is just the clipboard. I'd agree you could argue that this should be able to be disabled within the app, but you can disable this permission if necessary.
View device network connections is necessary because Azure makes Auth approval notifications to the device
Kill background processes prevents other apps from gaining access to MS Authenticator.
The last 3 are very self explanatory.
The telemetry can be disabled within the app.
If you don't want to be tracked then get rid of your smart devices (phones and tablets) and all of your social media. MS Authenticator is the least of your worries.
MS Authenticator doesn't use or display ads. If you don't want ad tracking, see previous comment.
While I respect your concern about permissions, many of these can be disabled on your mobile device by the user. That said, it doesn't change the fact that MS Authenticator is a valid option for MFA for use with HA.
On February 27, 2024 10:10:46 AM Alicia Sykes @.***> wrote:
I'm not sure if you're trolling me, or if it's a genuine question. But I'll treat this as a serious question, and try and outline the top privacy concerns with Microsoft Authenticator. I hope this helps, and do let me know if you'd like clarification on any of these points.
The app requests a total of 34 permissions, the vast majority of which are overly invasive and should not be required given the functionality of the application.
Source: Exodus Scanhttps://reports.exodus-privacy.eu.org/en/reports/com.azure.authenticator/latest/
Some examples of such permissions include:
For something as important as your authenticator app, you would expect there to be minimal trackers. But that's not the case with Microsoft Authenticator. It contains 5 such data collection trackers, each of which has their own worrying privacy policy
This includes:
A skim through the their privacy pages, reveals some worrying statements
Source: Microsoft's privacy policyhttps://privacy.microsoft.com/en-gb/privacystatement
Anti-Features
Microsoft Authenticator comes with several "anti-features" which are detrimental to the privacy of the users. These include, but are not limited to:
External Data Requests
Upon installing on a fresh emulator, within the first 60 seconds, Microsoft Authenticator made 306 HTTP requests to 18 different domains. Many of these included payloads containing much more data than should be reasonably necessary, including sensitive user and device info. It seems the app has little to no respect for the user's privacy.
General Quality
The app is extremely bloated, such a simple application should not need to be over 200mb. After installation, you'll see it consuming upwards of 500mb of RAM, often while just running in the background. This should not be necessary
TL;DR: Microsoft Authenticator falls short of privacy standards due to its excessive permissions, embedded trackers, and invasive privacy policy, allowing extensive user data collection and sharing. It does not put the user in control of their own data. Its reliance on big tech platforms and lack of open-source availability further betray a lack of commitment to user privacy.
Further Links:
— Reply to this email directly, view it on GitHubhttps://github.com/Lissy93/awesome-privacy/issues/189#issuecomment-1966773356, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ALTPMBCLCHEQPEINN3ROQ53YVXZPBAVCNFSM6AAAAAA534FJNWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRWG43TGMZVGY. You are receiving this because you authored the thread.Message ID: @.***>
Lissy93
commented
7 months ago With all due respect, I think you're misunderstanding the purpose of this repository. Big tech companies (like Microsoft) have no little or no respect users' privacy. The objective of this repository is to list open source alternatives to these applications and services.
If you compare Microsoft Authenticator to the other 2FA apps we've got listed, you'll see that all the others are:
If you'd like to learn more about the criteria we use to decide which apps can be included on our list, please reference the Requirements section of our docs. Just to re-iterate once again, Microsoft Authenticator does not meet our criteria.
For the reasons I listed in my previous comment, Microsoft Authenticator cannot be considered privacy-respecting, and wouldn't be an appropriate fit for this list. As such, I'm going to close of this ticket now.
Lissy93
commented
7 months ago And in answer to your question,
Do you understand the purpose of those permissions?
Yes, of course I do! 😉
2-factor-authentication
Amendments
The curated list of authenticators should also include the Microsoft Authenticator. It is required for use with Microsoft accounts and Azure (Entra) AD anyway, can be secured, and serves very well for TOTP for other accounts. It also provides backup in case of a lost or stolen primary device.
It would be fair to argue that including MS Authenticator, Google Authenticator should also be on the list. It can servere the same purpose (though only a requirement for google accounts). It suffers several limitations. No security, if your device is unlocked, the TOTP codes within are plainly visible. It doesn't actually get backed up, and there are no options for this. If device is lost or stolen, it may not be possible to recover it. This is very dangerous, given that 2FA/MFA should be enabled anywhere it is offered, even if that is only SMS (better than nothing).
Association Disclosure
I use MS Authenticator to have everything except google in a single secure app
Would you like to submit a PR?
Maybe?
Please tick the boxes