Microsoft Authenticator, Librem 5, and Security

No. They have a lot of options, but the new system requires only the “Push Notification via Microsoft Authenticator App” option as far as I know, and all the other options don’t work.

I’m working on constructing a QEMU+arm installation that I can push into a rented VPS to sit in the nether cloud infested with Waydroid and whatever Google Services it needs to be infested with to function as my authenticator.

I learned last week that if I sit down at my work laptop needing to log in, and it tells me that I cannot log in until I do the 2 factor auth, from that one factor the laptop I can open the microsoft settings page locally and add a device and then use that device to connect to the work VPN all from the one factor. So, this Microsoft Authenticator thing really does feel like some security theater comedy thing. I think that the nether cloud will be a good place for it to sit.

4 Likes

So the waydroid image that DOS posted instructions for on the Librem 5 is not using microG? Maybe it would be easier to just install microG there, and use the MS Authenicator app through there?

1 Like

There are instructions from dos that include adding microg however after several attempts I was unable to get that to work.

It might be possible. Though it is even easier to run waydroid -initialize GAPPS instead of clicking the waydroid icon to initialize the waydroid container.

After this clicking the waydroid icon works find to launch it.

1 Like

As an update to this topic, I believe that I have resolved my issue by throwing money at the problem. I went to my personal VPS provider and rented a larger one powerful enough to run Sway+WayVNC+Waydroid in the cloud, and now it is a simple matter of using an SSH tunnel (for an ssh key only secure login) followed by the use of vinagre from the Byzantium repos, and this tunnel+VNC connection allows my Liberty Phone to access Microsoft Authenticator in the cloud on the VPS much more quickly than the sickly long boot time required for GAPPS LineageOS Waydroid running directly on a Librem 5. And it all works without putting Google Play services on the Librem device that travels physically with me from place to place.

A key intuition was discovering that my previous understanding that aarch64 was required for Microsoft Authenticator is, in fact, false. Waydroid x86_64 (GAPPS) was somehow able to download and run Microsoft Authenticator just fine, so long as I downloaded from Google Play.

6 Likes

I have thought of doing the same - but just running it at home, on a spare computer, or in a VM on a computer with enough resources to do that.

1 Like

Would also work with any other Evil Corp’s AS number. :slightly_smiling_face:

2 Likes

Do you know Authenticator? I recently started using that (on my Librem5) to authenticate with a customer’s system where Microsoft tokens are required.
Your post is quite long, and I did not read it completely.

3 Likes

My employer’s IT department specifically enabled the requirement of push notifications from Microsoft, not simply any TOTP like what Microsoft’s system allows for most use cases.

So although I originally used free software TOTP key generators, I had to stop after the requirements were changed to require push notifications in the app to authenticate rather than simply the TOTP keys.

1 Like

Buy one of your security people a coffee, let them know that you’re actually security conscious, and ask very nicely if there’s any way you can either purchase a fob that they can enable for your account or to use a standard TOTP or HOTP authenticator. If you worked at my company and weren’t a recurring problem child, then I’d try to help.

The problem with being an exception is that if there’s a problem with you, whoever gave you the exception is going to be in trouble. You have to convince them that you’re not going to be any extra work for them or the help desk.

3 Likes

I don’t want to do any of that and I don’t want to inconvenience them. Running the Android app crap inside of a cloud server that is itself emulating Android is working really well for me. They want to be able to mandate that I use Android, so now I am. My server is in the “cloud,” a nonfree thing in a nonfree cloud that unlocks a nonfree login. Then, on my Liberty Phone where I have the freedom, I send a message to the nonfree cloud Android which sends a message to the nonfree Microsoft silliness, and that way I can do a login.

In this way, I don’t have to buy anyone a coffee. I don’t have to be anyone’s special exception. I’m running Android like they want. Just… not here. Not on the machines that go with me everywhere in my life.

6 Likes

Why not just leave a five year old phone with the authentication set up on it in your desk drawer? Get a dedicated Google account for only that phone. Take it out of the desk to authenticate when you need to login to your work pc. Then lock it back up in the drawer at the end of the day. Don’t use it for anything else. Uninstall and erase every un-needed thing on it. It never leaves the office nor is it used for anything, except as an authentication tool. No personal data resides on it. It’s the most boaring device that big tech will ever spy on.

Meanwhile, your Librem 5 is alive and well. You carry it everywhere you go. You use it for everything. Your life is invisible to big tech. So you comply with your employers rules. All anyone knows about you is when you login at work each day. It’s like punching a time card. No big deal.

3 Likes

Conceptually, I find that what you are describing is much worse than the solution I am using, in theory:

  • I work remote and sometimes from different locations. The idea you describe would include carrying the GPS-enabled work unlock device to my various locations, thus informing Google of my various locations. I don’t mind informing my employer, but I don’t feel like informing Google. They probably already know via some other inference that I did not yet think of, but they don’t need an additional information source.
  • A proprietary Android device in a desk could potentially be running its microphone and sending home the data to Google. You would tell me, muffled sound in a drawer isn’t very useful. But realistically, that would likely still be potentially some great data.
  • Some of the AI safety people that complain about future problems online said that having 2 nearby WiFi sources can use the interference like how a bat uses echo location to draw a 3D map of the nearby humans, where they are sitting, what they are doing, etc. Having an additional WiFi source nearby in my everyday life increases the ability to detect this kind of interference and potentially map the movement of my fingers, and thereby steal passwords. Being in a drawer doesn’t help the problem much, since WiFi can still pass through

I say all of this, but I do also have an android kept in a faraday cage. On occasion when I want to compare against it, it still exists. And I also still have some other less free technology around. So I do not have everything figured out in general. But I created a world where I can travel with only the Librem 5 if I want, and I have, and it works fine. By contrast, what you’re describing sounds a lot like just accepting the need for submission to having one of existing spyware devices.

As a general concept, if my work handed me a device they created themselves and that stalked me I would most likely allow it, because I am on good terms with my employer and by agreeing to work with them, I want to use what I can of myself to cause their success. My interaction with US government would be similar. But advertising and data collection companies such as Google actively use the information to try to change who I am, or who people around me are. And that sucks, and I don’t want it.

2 Likes

If the authenticator is using TOTP (or HOTP) then in principle it does not need WiFi to be enabled (or any other network connectivity) in order to complete the authentication.

I appreciate that an Android phone with blackbox firmware might not truly allow you to disable WiFi. However you can at least keep it off the WiFi by not giving it the (correct) passphrase - and hence keep it off the local network.

By definition, you wouldn’t put a SIM in the phone but, again, without knowing what evil the Android firmware might get up to, you can’t be certain as to what leakage might be occurring anyway.

Rather than locking it in a drawer, you might keep it powered down when not needed but, again, without knowing what evil the Android firmware might get up to, you can’t be certain as to what leakage might be occurring anyway.

Of course, if the authenticator only needs TOTP/HOTP then you can safely run those algorithms on the Librem 5.

For the moment I am doing what @StevenR suggests (except it is an old iPhone, rather than an old Android phone).

2 Likes

Note that Symantec VIP uses standard TOTP. Someone reverse engineered the communication protocol to do the original communication to obtain the credential/key used to register with your Symantec VIP using institution and has a github project for a python script that implements it.

There is some 4 character code that you need as part of the initial process. Which of the few such codes is needed for a few large institutions are in some blog posts about the github project. So some experimentation may be needed for others.

The bottom line is that once you succeed with the script you can use any TOTP application you like as your 2FA.

I use keepassxc on my laptop. I don’t know what would be good to use on a Librem 5.

2 Likes

It is not using TOTP. It is using Microsoft Authenticator notifications. The only way to receive the notifications is from the Google Play services program, which receives the notification from Google, then spawns the notification in the Microsoft Authenticator app, which can unlock the login when clicked. Or, the corresponding iPhone app can also be used, or so I’m told.

I investigated what it would be like to reverse engineer the notification receiver system, but what I found is that the code is most likely intentionally designed for this kind of reverse engineering to fail. For example, the Google notification property map received to the Android device contains within itself the URL for the Microsoft server to post back to. So, reading the source code alone is insufficient for determining how to mimic an “approval” for the “notification.”

Edit: So, if it was not clear, the process is not TOTP and instead requires an internet connection to both Google and Microsoft.

No. The entire purpose of my solution was that running Waydroid on a spare librem 5 to run the app was already too slow to start up. Similarly, starting an Android device from a powered off state would be a waste of time. The purpose of this system is to log in to work in the morning. Rather than a 30 minute endeavor, it is preferable for it to be an instantaneous approval of the login attempt.

Although Microsoft Authenticator app is capable of the TOTP function, my company turned it off and required that the only permitted manner to log in is with the Push Notification to Unlock, which is incompatible with TOTP and only works through the app. So, all of the things that you are describing, while true in some cases, are not applicable in the original situation for which this thread was created.

3 Likes

This worked well when I tested it on amber: List of Apps that fit and function well [Post them here.] - #253 by amarok

My bank uses that, but I’ve refused to install it. Fortunately, I can use email or SMS 2FA instead. Nice to learn about the workaround you mentioned.

3 Likes

I think I am in the same situation - and I was unfortunately well aware of the distinctions to be made.

My point was that someone might be in the situation of having to use the Microsoft Authenticator but they are allowed to use TOTP, in which case what I said applies.

Annoyingly, I can see that TOTP runs continuously while the Microsoft Authenticator app is being used.

3 Likes

Today was the first day of carrying my Librem 5 with me all day as my daily driver. I am excited about it and want to continue. Although I used my L5 throughout several parts of the day, I carried my Note 9 only to authenticate my duo mobile login. Ironically, today was the first day of my Note 9 being too old to use with Duo mobile. Fortunately, I was already logged in and the app accepted my password. But the option to receive a phone call was gone. So now, I need a new way to authenticate at work, preferrably using my Librem 5.

After some research, I found where the Duo Mobile website said that Linux can not be used on the authentication device. So, against my better judgement, I am considering installing Waydroid on to my L5 so I can run Duo Mobile. Anyone here have any better ideas?

4 Likes

This thread is quite literally a description of how I arrived at my “better idea.”

I observed that when I use waydroid session stop or whatever they tell you, that ps faux | grep waydroid indicated some Waydroid related processes remain running on the device even after I tell the Waydroid to stop. I’m sure there are some technical details there – some seemingly valid excuse for such design, and it probably improves Waydroid performance to be always running – but I only ever installed Waydroid on my Librem 5 once I bought a new one. Thereby, I was only infecting the backup/toy and not my literal phone that I carry with me.

When I need my Android authentication app at work, as described above in this thread, I open the terminal on my Librem 5, connect a secure tunnel (ssh -NL) to forward a port on my cloud server to the local loopback, and then I open a VNC viewer app on the Librem 5 which is a portal into the Waydroid system running on the cloud. This has at least two advantages over actually running Waydroid:

  • It starts up almost instantly because Waydroid and the app I need were already running in the cloud, and all I’m doing is opening a remote VNC connection to view the cloud Waydroid device
  • My physical handset does not need to run Waydroid, ever, and Waydroid has never been installed on it – so Waydroid related processes cannot be “left running” in the background for any reason
  • I can access the Waydroid cloud device from multiple machines, so my authentication is bound to my SSH key for creating the secure tunnel rather than to a single particular handset

The obvious downsides of this, of course, were:

  • Higher setup time than the Waydroid tutorial on Purism’s site, since I literally had to follow that same tutorial but from inside a VPS, and establish my own VNC to that VPS
  • The server I am renting, in order to run sway+wayvnc+Waydroid, is costing me about $300/year because I didn’t want it to lag and I wanted a smooth, clean Waydroid experience that actually works on that remote server
  • The VNC viewer that I use is not fully ported to mobile and doesn’t work super well on Phosh. Honestly it works better on my Librem 14 actually
  • The sway+wayvnc+Waydroid system in the cloud periodically runs out of memory, at a rate of about once per 1.5-2 weeks, crashing the Waydroid instance into a state that requires command line to fix, at least currently. The command line doesn’t work properly and misinterprets keyboard keys from the Librem 5 on screen keyboard, so in order to actually restart the apps on this cloud instance (again about once per 1.5-2 weeks) I have to log in with my Librem 14 and restart sway+wayvnc, then restart Waydroid, which clears out the container back to running again

3 Likes

You should question this. If they just mean “Linux is not supported” then, yes, that goes with the territory.

If they mean that “you have to run some shitty, insecure, unprivate app that is not available for Linux” then there is a problem.

What are the 2FA options with this provider? Is SMS an option? Is email an option? Is TOTP/HOTP an option?

2 Likes