Microsoft Authenticator, Librem 5, and Security

Why not just leave a five year old phone with the authentication set up on it in your desk drawer? Get a dedicated Google account for only that phone. Take it out of the desk to authenticate when you need to login to your work pc. Then lock it back up in the drawer at the end of the day. Don’t use it for anything else. Uninstall and erase every un-needed thing on it. It never leaves the office nor is it used for anything, except as an authentication tool. No personal data resides on it. It’s the most boaring device that big tech will ever spy on.

Meanwhile, your Librem 5 is alive and well. You carry it everywhere you go. You use it for everything. Your life is invisible to big tech. So you comply with your employers rules. All anyone knows about you is when you login at work each day. It’s like punching a time card. No big deal.

3 Likes

Conceptually, I find that what you are describing is much worse than the solution I am using, in theory:

  • I work remote and sometimes from different locations. The idea you describe would include carrying the GPS-enabled work unlock device to my various locations, thus informing Google of my various locations. I don’t mind informing my employer, but I don’t feel like informing Google. They probably already know via some other inference that I did not yet think of, but they don’t need an additional information source.
  • A proprietary Android device in a desk could potentially be running its microphone and sending home the data to Google. You would tell me, muffled sound in a drawer isn’t very useful. But realistically, that would likely still be potentially some great data.
  • Some of the AI safety people that complain about future problems online said that having 2 nearby WiFi sources can use the interference like how a bat uses echo location to draw a 3D map of the nearby humans, where they are sitting, what they are doing, etc. Having an additional WiFi source nearby in my everyday life increases the ability to detect this kind of interference and potentially map the movement of my fingers, and thereby steal passwords. Being in a drawer doesn’t help the problem much, since WiFi can still pass through

I say all of this, but I do also have an android kept in a faraday cage. On occasion when I want to compare against it, it still exists. And I also still have some other less free technology around. So I do not have everything figured out in general. But I created a world where I can travel with only the Librem 5 if I want, and I have, and it works fine. By contrast, what you’re describing sounds a lot like just accepting the need for submission to having one of existing spyware devices.

As a general concept, if my work handed me a device they created themselves and that stalked me I would most likely allow it, because I am on good terms with my employer and by agreeing to work with them, I want to use what I can of myself to cause their success. My interaction with US government would be similar. But advertising and data collection companies such as Google actively use the information to try to change who I am, or who people around me are. And that sucks, and I don’t want it.

2 Likes

If the authenticator is using TOTP (or HOTP) then in principle it does not need WiFi to be enabled (or any other network connectivity) in order to complete the authentication.

I appreciate that an Android phone with blackbox firmware might not truly allow you to disable WiFi. However you can at least keep it off the WiFi by not giving it the (correct) passphrase - and hence keep it off the local network.

By definition, you wouldn’t put a SIM in the phone but, again, without knowing what evil the Android firmware might get up to, you can’t be certain as to what leakage might be occurring anyway.

Rather than locking it in a drawer, you might keep it powered down when not needed but, again, without knowing what evil the Android firmware might get up to, you can’t be certain as to what leakage might be occurring anyway.

Of course, if the authenticator only needs TOTP/HOTP then you can safely run those algorithms on the Librem 5.

For the moment I am doing what @StevenR suggests (except it is an old iPhone, rather than an old Android phone).

2 Likes

Note that Symantec VIP uses standard TOTP. Someone reverse engineered the communication protocol to do the original communication to obtain the credential/key used to register with your Symantec VIP using institution and has a github project for a python script that implements it.

There is some 4 character code that you need as part of the initial process. Which of the few such codes is needed for a few large institutions are in some blog posts about the github project. So some experimentation may be needed for others.

The bottom line is that once you succeed with the script you can use any TOTP application you like as your 2FA.

I use keepassxc on my laptop. I don’t know what would be good to use on a Librem 5.

2 Likes

It is not using TOTP. It is using Microsoft Authenticator notifications. The only way to receive the notifications is from the Google Play services program, which receives the notification from Google, then spawns the notification in the Microsoft Authenticator app, which can unlock the login when clicked. Or, the corresponding iPhone app can also be used, or so I’m told.

I investigated what it would be like to reverse engineer the notification receiver system, but what I found is that the code is most likely intentionally designed for this kind of reverse engineering to fail. For example, the Google notification property map received to the Android device contains within itself the URL for the Microsoft server to post back to. So, reading the source code alone is insufficient for determining how to mimic an “approval” for the “notification.”

Edit: So, if it was not clear, the process is not TOTP and instead requires an internet connection to both Google and Microsoft.

No. The entire purpose of my solution was that running Waydroid on a spare librem 5 to run the app was already too slow to start up. Similarly, starting an Android device from a powered off state would be a waste of time. The purpose of this system is to log in to work in the morning. Rather than a 30 minute endeavor, it is preferable for it to be an instantaneous approval of the login attempt.

Although Microsoft Authenticator app is capable of the TOTP function, my company turned it off and required that the only permitted manner to log in is with the Push Notification to Unlock, which is incompatible with TOTP and only works through the app. So, all of the things that you are describing, while true in some cases, are not applicable in the original situation for which this thread was created.

3 Likes

This worked well when I tested it on amber: List of Apps that fit and function well [Post them here.] - #253 by amarok

My bank uses that, but I’ve refused to install it. Fortunately, I can use email or SMS 2FA instead. Nice to learn about the workaround you mentioned.

3 Likes

I think I am in the same situation - and I was unfortunately well aware of the distinctions to be made.

My point was that someone might be in the situation of having to use the Microsoft Authenticator but they are allowed to use TOTP, in which case what I said applies.

Annoyingly, I can see that TOTP runs continuously while the Microsoft Authenticator app is being used.

3 Likes

Today was the first day of carrying my Librem 5 with me all day as my daily driver. I am excited about it and want to continue. Although I used my L5 throughout several parts of the day, I carried my Note 9 only to authenticate my duo mobile login. Ironically, today was the first day of my Note 9 being too old to use with Duo mobile. Fortunately, I was already logged in and the app accepted my password. But the option to receive a phone call was gone. So now, I need a new way to authenticate at work, preferrably using my Librem 5.

After some research, I found where the Duo Mobile website said that Linux can not be used on the authentication device. So, against my better judgement, I am considering installing Waydroid on to my L5 so I can run Duo Mobile. Anyone here have any better ideas?

4 Likes

This thread is quite literally a description of how I arrived at my “better idea.”

I observed that when I use waydroid session stop or whatever they tell you, that ps faux | grep waydroid indicated some Waydroid related processes remain running on the device even after I tell the Waydroid to stop. I’m sure there are some technical details there – some seemingly valid excuse for such design, and it probably improves Waydroid performance to be always running – but I only ever installed Waydroid on my Librem 5 once I bought a new one. Thereby, I was only infecting the backup/toy and not my literal phone that I carry with me.

When I need my Android authentication app at work, as described above in this thread, I open the terminal on my Librem 5, connect a secure tunnel (ssh -NL) to forward a port on my cloud server to the local loopback, and then I open a VNC viewer app on the Librem 5 which is a portal into the Waydroid system running on the cloud. This has at least two advantages over actually running Waydroid:

  • It starts up almost instantly because Waydroid and the app I need were already running in the cloud, and all I’m doing is opening a remote VNC connection to view the cloud Waydroid device
  • My physical handset does not need to run Waydroid, ever, and Waydroid has never been installed on it – so Waydroid related processes cannot be “left running” in the background for any reason
  • I can access the Waydroid cloud device from multiple machines, so my authentication is bound to my SSH key for creating the secure tunnel rather than to a single particular handset

The obvious downsides of this, of course, were:

  • Higher setup time than the Waydroid tutorial on Purism’s site, since I literally had to follow that same tutorial but from inside a VPS, and establish my own VNC to that VPS
  • The server I am renting, in order to run sway+wayvnc+Waydroid, is costing me about $300/year because I didn’t want it to lag and I wanted a smooth, clean Waydroid experience that actually works on that remote server
  • The VNC viewer that I use is not fully ported to mobile and doesn’t work super well on Phosh. Honestly it works better on my Librem 14 actually
  • The sway+wayvnc+Waydroid system in the cloud periodically runs out of memory, at a rate of about once per 1.5-2 weeks, crashing the Waydroid instance into a state that requires command line to fix, at least currently. The command line doesn’t work properly and misinterprets keyboard keys from the Librem 5 on screen keyboard, so in order to actually restart the apps on this cloud instance (again about once per 1.5-2 weeks) I have to log in with my Librem 14 and restart sway+wayvnc, then restart Waydroid, which clears out the container back to running again

3 Likes

You should question this. If they just mean “Linux is not supported” then, yes, that goes with the territory.

If they mean that “you have to run some shitty, insecure, unprivate app that is not available for Linux” then there is a problem.

What are the 2FA options with this provider? Is SMS an option? Is email an option? Is TOTP/HOTP an option?

2 Likes

Just read through most of this. Seems like there’s no full way to replace Microsoft Authenticator without going to relative extremes.

This is probably the one barrier I can’t (so far) work around as my company also uses Microsoft to get on to its corporate login as well as now, the project I’m on using an absolute metric tonne of various Microsoft, O365 and AWS verifications.

1 Like

Partly I go to the extreme because I felt like it. If you run Waydroid to run the app locally on the L5, it would probably work. I only ran Waydroid on my 3GB ram version. 4GB ram might run even smoother.

2 Likes

I have been in a similar situation actually, TOTP was working fine with a nice open source, encrypted solution I had spent hours putting together, then one day they changed the rules. Thankfully I didnt end up needing the app, but this is an issue for people in the situation where a sudden change like this happens.

So if some of that stuff in the apps, like “libfacebook” included a low level hardware escape to embed itself, wouldn’t embed into the Librem 5 itself?

I’m curious about this as well. Interesting if Purism could comment. I dont know if the L5 has IOMMU support that might be a way to mitigate it, though there are some “trivial” exploits if interrupt remapping is enabled (see also 1, 2, 3, 4)

I am also curious about the potential danger when flashing the phone from a non-free device, if it can ever really be trusted again 0.0 (though purism does seem to have a secure boot implementation using the pgp smart card)

You also mentioned you are paying a pretty penny for the server, could you possibly in some sort of headless mode, or I think some remote desktop solutions allow you to take a screen shot, so you could get a screen shot of the code sent too via some channel instead of logging in and actually interacting with the app (or some other scripted solution to get the code) making a less performant server tolerable or avoiding the need to actually render anything. Also I think waydroid is designed to be able to run a single app

Im also a bit surprised it does not come with microg by default

Compared to the Vanilla android, this variant seemed sickly and made alert sounds with constant notifications quite literally making a “wee woo wee woo” sound to tell me that Google does not approve of Librem 5.

My server is in the “cloud,” a nonfree thing in a nonfree cloud that unlocks a nonfree login

:laughing: You are my sarcastic paranoid bretherin, your hilarious and appreciated.

1 Like

Maybe so, but what I was saying was also my serious attempt to express the accurate state of things, even if how I chose to describe it might have been a little silly.

1 Like

I agree, I take it seriously, I share many of your opinions, I didn’t mean to indicate otherwise, sorry if it sounded like I dont.

1 Like

In my case, the app does not provide an unlock code. Instead, the app contains an in-app button, which itself fires back the message to Microsoft/Google to unlock.

My general impression was that the work upgrade to this new system came at exactly the worst time for me, when I didn’t want it and my Liberty Phone had recently arrived and instead I wished to celebrate furthering my venture into this space rather than to be kicked out. So I spent quite a long time trying to figure what hackery could be accomplished by decompiling this app and mimicking it. But Microsoft and Google have more money than me, and could at every step construct systems with intention to thwart anyone who would not use the actual Android app. I do not have interest in further attempts to investigate the possibility of reverse engineering this thing, unless perhaps if my existing solution ceases to function. The time cost, when I could do something else with my life, did not feel worthwhile. That isn’t to say that everything I do in my life is a good use of time; certainly many things are not. But if you’re going to investigate reversing this app to create a command line mimic, you’re going to have to do it without me for the time being.

Edit:
That’s not because I don’t want it. It’s because the people on the other side are conscious. They might be reading this, having boardroom meetings about how to kill off what they see described in this topic. In this case, their evil is done with intention. If it were not, MICROSOFT would allow us to authenticate using WINDOWS in order to promote the idea that WINDOWS was secure and/or worth buying. I own an EXPENSIVE MICROSOFT SURFACE that they are effectively telling me is not sufficiently secure to DO A BASIC LOGIN. [Yeah it’s evil nonfree tech, that’s a whole other problem in my life, but whatever.]

So, anyway, we are seeing either (1) maliciousness, or (2) negligence.

The extraordinary complexity of the app’s internals gives rise to me having the belief that of the two, we are seeing #1. If you reverse their app and build a replica, they will do an update to kill your replica. We’re talking about creating a potentially lifelong job for a free software enthusiast, and simply for the purpose of logging into work in a way that their employer can trust. If they jump in and take it seriously they wouldn’t be doing their job and would lose the position, and if they don’t take it seriously then they’ll fall behind in maintaining their anti-malicous-ness tool.

So I really do think that for me the best solution is emulation & faux submission. They can have security through obscurity by requiring the user to effectively execute an insane hodgepodge of decision networks too complex to mimic, but they probably can’t detect if the application is running on an Android that is “simulated” or not, because if they could detect that then we would just build a better simulator and that’s a more broad worthwhile endeavor that’s more likely for many people to be interested in and to possibly collaborate on.

2 Likes

In my case, the app does not provide an unlock code. Instead, the app contains an in-app button, which itself fires back the message to Microsoft/Google to unlock.

Didn’t realize that, I thought i provided a code through this system that was visible too the user.

This sounds similar to google’s 2fa with android where if you try to sign into a google account it wont exactly send a code but will display 3 numbers and you have to tap the correct one on your android device. I wonder if it uses a similar architecture :thinking:

That is quite frustrating, it is unfortunate that IT departments expect these sorts of things on personal devices or on personal networks. I do get that a lot of programs need windows and users are use to windows, but I am not sure I get depth of the total investment of so many IT departments into Microsoft/Windows.

I do not have interest in further attempts to investigate the possibility of reverse engineering this thing

Rather than the app/protocol I was more thinking waydroid might have some sort of headless solution especially where a code is not displayed graphically, so the app could be run without modification just with less resources and maybe a few scripts/input replays could be used to interact with it. But I really wouldn’t want to put much more time into this either.

If you reverse their app and build a replica, they will do an update to kill your replica

Yep

1 Like

Sorry to interrupt again in a technical / productive discussion, but for a newbie like me about to receive a Librem 5, is there an easy way to get Authenticator or an alternative setup running on the Librem 5?

I know running Android apps is a no-go, and even if it were possible, it totally defeats the purpose of having a privacy respecting free-phone.

I was wondering if there was some sort of open source alternative that can scan the QR code needed to be scanned by my work? I don’t know if they have ultra-strict setup requirements. I know we can’t access email on our own external laptops / computers but we can access it via InTune on personal iOS / Android phones.

1 Like

I’ve briefly tested this one (OTPclient): List of Apps that fit and function well [Post them here.] - #253 by amarok

I believe several forum members have mentioned others that work.

2 Likes

If I open up the Camera app that came installed by default on my Librem 5, and point it at a QR code such as to access the menu at a restaurant, the QR code highlights in blue and when I click it the menu opens in the default browser.

Gnome Authenticator exists but I had trouble with it. For websites using generic TOTP 2FA such as GitHub, JetBrains, 1password, and Codeberg, I have a command line solution. I installed oathtool with apt. I have a 2FA folder with my secret keys and a shell script for each site, which generates a 6 digit code based on the needs of that site. For example:

codeberg.sh:

#!/bin/bash
oathtool -b --totp=SHA1 @codeberg.txt

Running the script for the given site outputs an instance of the required 6 digits.

Unfortunately, the Microsoft Authenticator for my work stopping accepted this, because Microsoft are evil and allow IT administrators to require users to do Android/iOS push notifications.

Anyhow, having a command to power my 2FA means I can easily transfer my secure keys and the power to use them into any device, or build a GUI that would display this information, all with relative ease.

3 Likes