Microsoft Authenticator, Librem 5, and Security

I received my Librem 5 this past Spring. Also, I am required by IT staff where I work to use Microsoft Authenticator on a personal device to log in, and they do not provide me a device for this purpose.

At the time, I discovered that in the fine print below the Microsoft menu to add an “Authenticator App” for Android or iOS, there is a “Use a different Authenticator App” option. Microsoft’s description that follows after clicking that button seriously feels intentionally unhelpful, but among other things they provide the “secret” used by their OTP generator. At the time, I discovered through trial and error that I could save this “secret” to a file on my Librem 5 and then run it through one of the available algorithms on “oathtool” command line utility from the Byzantium repo, as a means to generate my OTP keys to log in to work.

I saved which oathtool algorithm it was into a simple shell script and I used that for about the past five months. But recently I was informed of an “upgrade” at work such that the OTP keys are no longer allowed. They’re telling me the only “secure” way to log in is “from a push notification on my phone.” At the same time that I was informed of this, I was also slated to receive my Librem 5 USA which I ordered at the time of the stupid Rossman YouTube drama (to make sure we keep Purism alive, and for fun).

So now this last weekend I had this weird moment of having my expensive Librem 5 USA that should have been my new fun and exciting phone… but instead it was sitting in a box while I had that pit in my stomach, trying to plot how I could win the information war against these tech companies and defeat their security theater and avoid using Android.

This led me down a rabbit hole of unzipping the MicrosoftAuthenticator.apk and poking through it to see if I could find the web endpoint they are using, with the hope of perhaps constructing a GTK app to do the same, so that I would not be stupidly forced away from the freedom to choose Librem 5 as my phone if I want.

But of course, these systems are built with a one-way build pipeline designed to never be looked at down the line. As well as all the Java code in the app for doing the Experimentation on Users in multiple packages (if you want to look it up, Microsoft publicly describes the experimentation packages under the name “ECS”), and the code for how the experiments connect to a domain name registered as Skype in the hope that users don’t figure out what it is… On top of that Java code, thee is also a ton of aarch64-specific binaries like “libfb.so” (stands for “libfacebook”) because the app contains a deployment of React Native and all the “dependency hell” comedy that comes with including that. Of course this even included the “react-native-telemetry” from Facebook’s React Native, so Facebook can also monitor when we log into work. And, on top of that, there appeared to be some or all of Chromium in there although I didn’t check that part too closely. Somehow I personally wouldn’t be surprised if some Google telemetry was included as part of that.

As I looked through this comedic dung-heap that is “only secure way to log in” to my work, despite stressing myself out over these components it is at least conceivable to me that this technology may have been the result of people who believed in what they were doing and did not self-acknowledge themselves as being evil. For example, the Microsoft Authenticator also included a binary .so file for the Azure AI Vision system, which I have not looked up online but absent any research it sounds like something I don’t want in my pocket every single day simply as a requirement for logging in for my job. And yet, someone from my work said they like and use the “Face ID” unlock because they feel it is secure. People could convince themselves it’s a good thing; even the Microsoft devs. But for my own part, I want to be able to exercise my personal right to independent thinking and be able to log in to work without all of that. Or at least without being forced to have an Android or iOS device running in my pocket 24/7 in a world where my Librem 5 exists.

Maybe some of the people here can appreciate my sentiment how finding Azure AI Vision in there, or seeing how the authenticator includes the Samsung Knox Device Administrator Permission in its list of used Android permissions, combinedly all raises my blood pressure to see. Even if we can figure the folks making it believed in what they were doing, when we put it all together having a work-mandated AI-Vision-based “Device Admin Permission”-using app built using Facebook libs mandated on my life feels like something dystopian. Sure, they say we should never attribute to malice that which can be attribute to apathy – maybe these components do not actually do anything malicious together, and are all just there in case. It’s possible.

But I wanted to be able to use my Librem 5. Along with the new work requirement, I was also told to no longer log into work from whatever device I want and instead use a new work-provided MacBook. So after I was frustrated by attempts to find a web endpoint (Microsoft was receiving an “mfaServiceUrl” inside a POJO wrapper called PendingAuthentication that got the url either from an android.os.Bundle key named “key_pad_host” or from other POJO instances named CheckForAuthenticationRequest or CheckForAuthenticationResponse or something like that.) after that frustration of not simply finding a web address where I could wait for notification and then reply with a secure OTP key, I started to think… Maybe I could settle for some other attempt to virtualize this authenticator in some kind of container that I could use on my terms that didn’t force me into a particular device. That MacBook from work that I’m already required to use has the Apple Silicon, so shouldn’t it be able to run iOS apps now? But no, apparently the Microsoft Authenticator for iOS is specifically tagged to not be allowed on MacBooks. So, the MacBook cannot be the secure unlock device for itself.

So then I thought, what about my Microsoft Surface tablet? I still had one of those around. Upgrading it to Windows 11 was a 0 gain thing for the end user as far as I could tell. The upgrade simply made it run more slowly in games and graphical apps. But wasn’t the reason Windows 11 was invented simply to force users to have a secure TPM2 onboard so that Surface could join the Google Android ecosystem and run Android apps directly on Windows while still being able to prove the device was from a preset global list of devices and not an emulator or whatever?
So I went to look at what it would take to get Microsoft Authenticator to run on the Surface – a Microsoft security app on a Microsoft piece of hardware – but unfortunately, the supported way to get Android apps on Windows 11 is only from Amazon Appstore and not from Google Play, because Amazon made a deal with Microsoft for that, and as a result because Microsoft Authenticator isn’t on Amazon Appstore we cannot use a Microsoft device as our secure unlock. I considered calling Microsoft customer service and asking them whether I can use my Surface as my authenticator or if Microsoft intentionally doesn’t support Windows for their security app (as if Microsoft is themself telling users not to trust Windows 11 even with TPM2 nonsense which is to me very funny) and so amidst all this frustration I decided to see how far I could get with VMs. I have an ancient ThinkPad with PureOS installed and so I tried using qemu run PureOS. Initially I tried the Librem 5 img but I wasn’t sure how to get that to work so I switched to PureOS x86_64 inside qemu, but then followed the Waydroid tutorials from PureOS on there and decided to install Microsoft Authenticator app on their. It turns out, the install command would instantly return and do nothing. But that was when I remembered that all those .so files for the binary libs like Azure AI Vision and the facebook libraries and React telemetry are only compiled for aarch64.

So, I did it. I decided that with the unopened Librem 5 USA sitting in front of me in a box, I may as well corrupt and taint the ethics of my older Librem 5 by dual booting to a second image of Librem 5 PureOS Byzantium, and then inside the dual boot install Waydroid and run Microsoft Authenticator in there. The first time through I tried the VANILLA system type on Waydroid, which worked well enough to open the Microsoft Authenticator but there was a Microsoft warning that “without Google Play services, some features may not work.” I looked a little at microG but became convinced that to run it, I would need a modified LineageOS ROM and I didn’t feel like bothering to study that in only a weekend.

So, I nuked Waydroid and reinstalled with the GAPPS system type. Compared to the Vanilla android, this variant seemed sickly and made alert sounds with constant notifications quite literally making a “wee woo wee woo” sound to tell me that Google does not approve of Librem 5. I would not have wanted to do that, but as I said, I had a new Librem 5 waiting for me after I burned up this one.

So, while my device heated up like a fireball processing all the Google nonsense, I realized that it was possible to install Microsoft Authenticator APK from an unofficial source anyway and then observed that the presence of the aberrant Google Play services was enough to satisfy Microsoft and at this point I was able to log in to work using my Librem 5. Comically, for me this concerned that it was all security theater because obvious being able to run this thing in Waydroid and have it work shows that their app is not dependent on any Android equivalent of TPM or at least not as far as I can tell, given that the Librem 5 has no TPM.

But later that evening, I realized that rather than squelch notifications from Google’s nonsense there was also a way to upload some metadata from the Waydroid install into a Google site to “register” it and this made Google stop whining and even allow the use of Google Play there on Waydroid, which meant I could nuke and reinstall Waydroid and then run a copy of Microsoft Authenticator app from the Play Store itself which I’m sure some Google fan somewhere would tell me was more secure than running a copy of the app from a third party. I also liked to hope that by “registering” with Google maybe they would spend less energy trying to burn my battery on superfluous notifications (that I had turned off).

So, I posted this on the security chat because I wanted to ask if dual booting the Librem 5 into a GAPPS instance of Waydroid, from a security standpoint, would be likely to compromise the hardware of the Librem 5 itself. It turns out, doing this is a fairly effective way to achieve the crap required for my work. I prefer a corrupted Librem 5 to having an Android as a second corrupted device for work, if I am required to have one or the other.

But what if the compromise between “ease” and ideology begins to make me want to put the SD card in the Librem 5 USA and boot the new pure device using the knowingly-compromised work partition. At that point, would Waydroid be likely to embed itself into the firmware? It did look like there was traffic to Google on boot when I used Waydroid LineageOS x86_64 inside a VM, when I did a packet capture. Even on “VANILLA” Waydroid. But I think that makes sense; Google made Android and so it would make sense that they would want their systems to report back to their big AI brain(s) in order to keep tabs on the humans.
But how could I actually be confident that when I take that SD card out of a Librem 5, for example, that this taint would be gone? It even says on the Waydroid Librem 5 guide, as I recall, that Waydroid is not a security boundary. So if some of that stuff in the apps, like “libfacebook” included a low level hardware escape to embed itself, wouldn’t embed into the Librem 5 itself?

My degree was in software-related stuff primarily so I know this may all sound paranoid. But I think in a world where I can buy a Librem 5 USA and then be told by my employer to not use it, society really is that bad. And maybe here on a forum like this, we are the lucky ones who stopped to try to think about it and try to escape even if we may all inevitably fail because evil is too powerful. But, what do we think, does removing that SD card when I want to be alone (or on my own time) really remove the evil?

Thank you all for your time.

That sucks to hear. Do you know if your IT department allows FIDO2 or U2F authentication with devices like the Yubikey? Microsoft supports authentication this way, though it probably needs to be enabled from the organization.

If your employer is requiring that you use your personal devices for work and aren’t providing a company-provided device, they might be required to reimburse you for devices you need to purchase in order to fulfil your work-related duties, though this depends on where you’re employed so you’ll need to check your local laws.

As for whether or not Android apps executed through Waydroid could potentially compromise the lower-level components, I don’t know. Some firmware, such as the Wi-Fi firmware, is isolated to the firmware jail and I believe that the integrity of the firmware is checked at boot when it is loaded into the system.

I think you should copy and paste the whole text and send it to Bruce Schnier with a short one paragraph preface what a Librem 5 is.

The link to this thread is available without being logged in anyways. So he could put it in his newsletter with a citation.

The reason you can’t use the MS Authenticator “push” without an Android (read: Google Play Services) or iPhone is not about a TPM chip - it’s that they make use of the push notification services offered by Apple and Google. The OS itself is responsible for polling its servers for notifications and responsible for waking up your phone, then telling the app to retrieve the notification.

So you would not be able to find the URL that the app is fetching, anyway, because it’s not the app doing so - it’s the services on the OS that are running the push notifications that are doing this. And with this comes a whole machinery of signed and encrypted request (partly for security and partly for lock-in of course - both are viable for many reasons), so you wouldn’t anyway be able to interpose yourself in the middle and fetch those yourself to wake up the app or retrieve the contents of the notification…

I really like your efforts to avoid such malware-apps. Companies should do it by their own interests, but we all know that this is away from reality. So I just can wish you and all the others that those things don’t become worse.

And thanks for sharing your story.

Exelent read and thank you for sharing it.

I wanted add something. I bought a “smart” home automation device a while back. It has WiFi and Bluetooth but I firewalled it off from the internet over WiFi. I happened to be going on a long trip and wondered if I could find a way to communicate with it remotely in a secure way. I have a VPN that allows me to connect to my network remotely so I started to think about ways to communicate with the device over Bluetooth. There is an Android app for the device so I ended up spinning up a VM running Android and I passed a Bluetooth dongle through from the host. I could then run the device app and communicate with the device from the VM. I did my best to firewall the VM from the rest of the network, but at the very least Google would have received my Public IP address and some information about the VM. And probably more, I’m no network/security expert.

I didn’t end up using that setup because I would have needed a way to interact with the VM console remotely and that didn’t end up being practical. I wondered if there was a way to do automations in Android so that I could send some network packet that would be caught by the Android kernel and trigger some action in the app, but I realized it would be best if that was not possible .

Anyway, another thing to think about at least.

About home automation: I’m reminded of a chapter in Ray Bradbury’s “The Martian Chronicles”, in the chapter called: “There Will Come Soft Rains”.

My employer requires the use of duo mobile via my own device, to get in to their network on my employer owned laptop. When I try to use different hardware (mostly different phones) with authentication codes, duo knows that the hardware on my new phone doesn’t match the previously used hardware and immediately quits cooperating with the authentication process. None if the code based authentication stuff works at that point.

But I have used a Google Voice service for a few years now. So I just tell duo to call me at my GV number. That call goes out via forwarding from my GV number to all of my devices, any if which I can answer and press any key to approve to get in to the company VPN. Does Microsoft Authenticator not also have such an option? You should at least be able to use ordinary phone forwarding to your Librem 5 number and not need to use Google Voice either.

No. They have a lot of options, but the new system requires only the “Push Notification via Microsoft Authenticator App” option as far as I know, and all the other options don’t work.

I’m working on constructing a QEMU+arm installation that I can push into a rented VPS to sit in the nether cloud infested with Waydroid and whatever Google Services it needs to be infested with to function as my authenticator.

I learned last week that if I sit down at my work laptop needing to log in, and it tells me that I cannot log in until I do the 2 factor auth, from that one factor the laptop I can open the microsoft settings page locally and add a device and then use that device to connect to the work VPN all from the one factor. So, this Microsoft Authenticator thing really does feel like some security theater comedy thing. I think that the nether cloud will be a good place for it to sit.

So the waydroid image that DOS posted instructions for on the Librem 5 is not using microG? Maybe it would be easier to just install microG there, and use the MS Authenicator app through there?

There are instructions from dos that include adding microg however after several attempts I was unable to get that to work.

It might be possible. Though it is even easier to run waydroid -initialize GAPPS instead of clicking the waydroid icon to initialize the waydroid container.

After this clicking the waydroid icon works find to launch it.

As an update to this topic, I believe that I have resolved my issue by throwing money at the problem. I went to my personal VPS provider and rented a larger one powerful enough to run Sway+WayVNC+Waydroid in the cloud, and now it is a simple matter of using an SSH tunnel (for an ssh key only secure login) followed by the use of vinagre from the Byzantium repos, and this tunnel+VNC connection allows my Liberty Phone to access Microsoft Authenticator in the cloud on the VPS much more quickly than the sickly long boot time required for GAPPS LineageOS Waydroid running directly on a Librem 5. And it all works without putting Google Play services on the Librem device that travels physically with me from place to place.

A key intuition was discovering that my previous understanding that aarch64 was required for Microsoft Authenticator is, in fact, false. Waydroid x86_64 (GAPPS) was somehow able to download and run Microsoft Authenticator just fine, so long as I downloaded from Google Play.

I have thought of doing the same - but just running it at home, on a spare computer, or in a VM on a computer with enough resources to do that.

Would also work with any other Evil Corp’s AS number.

Do you know Authenticator? I recently started using that (on my Librem5) to authenticate with a customer’s system where Microsoft tokens are required.
Your post is quite long, and I did not read it completely.

My employer’s IT department specifically enabled the requirement of push notifications from Microsoft, not simply any TOTP like what Microsoft’s system allows for most use cases.

So although I originally used free software TOTP key generators, I had to stop after the requirements were changed to require push notifications in the app to authenticate rather than simply the TOTP keys.

Buy one of your security people a coffee, let them know that you’re actually security conscious, and ask very nicely if there’s any way you can either purchase a fob that they can enable for your account or to use a standard TOTP or HOTP authenticator. If you worked at my company and weren’t a recurring problem child, then I’d try to help.

The problem with being an exception is that if there’s a problem with you, whoever gave you the exception is going to be in trouble. You have to convince them that you’re not going to be any extra work for them or the help desk.

I don’t want to do any of that and I don’t want to inconvenience them. Running the Android app crap inside of a cloud server that is itself emulating Android is working really well for me. They want to be able to mandate that I use Android, so now I am. My server is in the “cloud,” a nonfree thing in a nonfree cloud that unlocks a nonfree login. Then, on my Liberty Phone where I have the freedom, I send a message to the nonfree cloud Android which sends a message to the nonfree Microsoft silliness, and that way I can do a login.

In this way, I don’t have to buy anyone a coffee. I don’t have to be anyone’s special exception. I’m running Android like they want. Just… not here. Not on the machines that go with me everywhere in my life.