Microsoft Authenticator is about to wipe work accounts from jailbroken/rooted phones automatically π.
-
And make your employer pay for it. I got my work phone when I refused to put a similarly shitty 2FA app onto my personal one.
I just said I've a PinePhone with Postmarket OS and I'm not going to buy a new one just for that. + I asked if they'd cover damages for any data deleted because of someone hitting the "wipe phone" button in the MDM that would have come with it accidentally (or on purpose).
The phone was cheaper for them than continuing the discussion btw
-
@merill I'm gonna go out on a limb here and say that users that jailbreak their own private device wouldn't use MS Authenticator, and on company devices jailbreak wasn't allowed anyway.
@silhouette @merill people are expected to put this on their personal devices
-
@merill TIL people actually use the MS authenticator
@Longplay_Games @merill not by choice
-
@silhouette @merill people are expected to put this on their personal devices
@fluffykittycat @merill ah, the famous "use your own private resources for the benefit of the company".
-
@crazyeddie @thaodan @merill unlocked bootloaders are a moral imperitive. Not to mention all the ewaste created by locked devices not being repurporsable
@fluffykittycat @merill @crazyeddie Context? Nobody in the thread said that devices where users can't unlock bootloaders are a good thing.
Users should just be able to relock it. Locking bootloaders doesn't block flashing it just ensures that only code signing with the owner of the keys in the bootloader can be used, the owner of these keys can be the user. -
@fluffykittycat @merill @crazyeddie Context? Nobody in the thread said that devices where users can't unlock bootloaders are a good thing.
Users should just be able to relock it. Locking bootloaders doesn't block flashing it just ensures that only code signing with the owner of the keys in the bootloader can be used, the owner of these keys can be the user.@thaodan @fluffykittycat @merill Yeah, I can't re-lock my phone or I believe even put the bootloader into write-only. Sucks.
-
Microsoft Authenticator is about to wipe work accounts from jailbroken/rooted phones automatically
.No IT config needed.
3-phase rollout starting Feb 2026:
οΈ Warn β 
Block β 
οΈ WipeLet your help desk and security teams know.
@merill what the fuck. You all really want to kill open computing, don't you.
-
@thaodan @fluffykittycat @merill Yeah, I can't re-lock my phone or I believe even put the bootloader into write-only. Sucks.
@crazyeddie @thaodan @merill yeah, locked bootloaders imply the person who purchased it doesn't get full ownership rights over it
-
@merill magisk module to hide root incoming in 3, 2, 1...
@BernardSheppard @merill it exists
Just not for android 16 -
Wow. So a LOT of you folks are not happy.
The good news is your org can still allow you to use passkeys and other Authenticator apps.
@merill
Wait you were actually saying it as a good thing???? -
@crazyeddie @thaodan @merill yeah, locked bootloaders imply the person who purchased it doesn't get full ownership rights over it
@fluffykittycat @crazyeddie @merill You have to separate the technical from the ideological part. As long as the user has the control for en- and disable the bootloader signature verification they are perfectly fine. There are parts of the device users shouldn't reflash thou such as the radio configuration.
-
@merill I wonder who of the people complaining here doβ¦
1. β¦ own a rooted / jailbroken phone
2. β¦ have Microsoft Authenticator installed on this phone
3. β¦ do use MS Authenticator in combination with an Azure Active Directory account.@kontrollierterWahnwitz@sueden.social anyone meeting criteria 1 who are required to use MS Authenticator for work.
-
Microsoft Authenticator is about to wipe work accounts from jailbroken/rooted phones automatically
.No IT config needed.
3-phase rollout starting Feb 2026:
οΈ Warn β Block β οΈ WipeLet your help desk and security teams know.
@merill Yikes.
-
@fluffykittycat @crazyeddie @merill You have to separate the technical from the ideological part. As long as the user has the control for en- and disable the bootloader signature verification they are perfectly fine. There are parts of the device users shouldn't reflash thou such as the radio configuration.
@thaodan @crazyeddie @merill why should we expect Microsoft to.honor that? We know they won't
-
@BernardSheppard @merill it exists
Just not for android 16@Kuniti_shino @merill I haven't had need for magisk / shamiko for a while now, but under Android 15, they worked perfectly.
Root, recompile to defeat certificate pinning, MITM, hide root and then using something like http toolkit to work out what an application was doing was pretty straightforward.
Reverse engineering for everyone.
-
@fluffykittycat @merill ah, the famous "use your own private resources for the benefit of the company".
@silhouette@dumbfuckingweb.site @fluffykittycat@furry.engineer @merill@infosec.exchange how else can we call you when you're supposedly sleeping or on vacation?
-
Microsoft Authenticator is about to wipe work accounts from jailbroken/rooted phones automatically
.No IT config needed.
3-phase rollout starting Feb 2026:
οΈ Warn β Block β οΈ WipeLet your help desk and security teams know.
Bloody hell? This looks like fascism to me.
-
@merill I wonder who of the people complaining here doβ¦
1. β¦ own a rooted / jailbroken phone
2. β¦ have Microsoft Authenticator installed on this phone
3. β¦ do use MS Authenticator in combination with an Azure Active Directory account.@kontrollierterWahnwitz @merill I'm stuck with Microsoft Authenticator for my work Azure login. I have to use my personal device as they will not issue me one, and no other authenticator option is permitted.
I don't have a rooted device at the moment, but I was planning on rooting it in a couple years when my manufacturer inevitably stops providing updates.
I'm going to ask my work if they can relax the restrictions to allow other authenticators after this change. Otherwise, I'll need to fork up for a new phone out of my own pocket instead of being able to extend the life of my current one.
-
@merill this idiocy looks like something @GrapheneOS will want to respond to. Microsoft doesn't care if the OS has the latest patches, only that it was certified by the duopoly.
@pq1r @merill @GrapheneOS GrapheneOS doesn't support rooting, so they don't need to do anything.
-
@merill I have to admit one of the reasons I use the web application for Outlook on my phone is because installing the Outlook app and adding my work account to it would in theory give work access to control (parts of) my phone - which I don't want. I didn't think the authenticator alone would give that level of access to the device though!
Is this likely to just drive more people to switch to using Google's authenticator (or another TOTP app) instead of the Microsoft one? I do anyway, because I was already using it for other sites, and it was easier to have them all in one place. You'd lose push authentications: but I feel safer without those anyway!
@lnr @merill *If* you consider using another TOTP app, I recommend 2FAS Authenticator. Other than the MS and Google authenticators, who are incredibly greedy data harvesters, 2FAS phones home nothing but anonymised diagnostics data. (It does, optionally, sync/backup on Google Drive/iCloud.) Has been working well for me for years. Open source, on Android and iOS.
2FAS Auth
Meet your favourite 2FA app. We are an open-source, community-driven, private and simple solution for Internet's biggest threat - security breaches.
(2fas.com)
