Microsoft Authenticator, Librem 5, and Security

Today was the first day of carrying my Librem 5 with me all day as my daily driver. I am excited about it and want to continue. Although I used my L5 throughout several parts of the day, I carried my Note 9 only to authenticate my duo mobile login. Ironically, today was the first day of my Note 9 being too old to use with Duo mobile. Fortunately, I was already logged in and the app accepted my password. But the option to receive a phone call was gone. So now, I need a new way to authenticate at work, preferrably using my Librem 5.

After some research, I found where the Duo Mobile website said that Linux can not be used on the authentication device. So, against my better judgement, I am considering installing Waydroid on to my L5 so I can run Duo Mobile. Anyone here have any better ideas?

4 Likes

This thread is quite literally a description of how I arrived at my “better idea.”

I observed that when I use waydroid session stop or whatever they tell you, that ps faux | grep waydroid indicated some Waydroid related processes remain running on the device even after I tell the Waydroid to stop. I’m sure there are some technical details there – some seemingly valid excuse for such design, and it probably improves Waydroid performance to be always running – but I only ever installed Waydroid on my Librem 5 once I bought a new one. Thereby, I was only infecting the backup/toy and not my literal phone that I carry with me.

When I need my Android authentication app at work, as described above in this thread, I open the terminal on my Librem 5, connect a secure tunnel (ssh -NL) to forward a port on my cloud server to the local loopback, and then I open a VNC viewer app on the Librem 5 which is a portal into the Waydroid system running on the cloud. This has at least two advantages over actually running Waydroid:

  • It starts up almost instantly because Waydroid and the app I need were already running in the cloud, and all I’m doing is opening a remote VNC connection to view the cloud Waydroid device
  • My physical handset does not need to run Waydroid, ever, and Waydroid has never been installed on it – so Waydroid related processes cannot be “left running” in the background for any reason
  • I can access the Waydroid cloud device from multiple machines, so my authentication is bound to my SSH key for creating the secure tunnel rather than to a single particular handset

The obvious downsides of this, of course, were:

  • Higher setup time than the Waydroid tutorial on Purism’s site, since I literally had to follow that same tutorial but from inside a VPS, and establish my own VNC to that VPS
  • The server I am renting, in order to run sway+wayvnc+Waydroid, is costing me about $300/year because I didn’t want it to lag and I wanted a smooth, clean Waydroid experience that actually works on that remote server
  • The VNC viewer that I use is not fully ported to mobile and doesn’t work super well on Phosh. Honestly it works better on my Librem 14 actually
  • The sway+wayvnc+Waydroid system in the cloud periodically runs out of memory, at a rate of about once per 1.5-2 weeks, crashing the Waydroid instance into a state that requires command line to fix, at least currently. The command line doesn’t work properly and misinterprets keyboard keys from the Librem 5 on screen keyboard, so in order to actually restart the apps on this cloud instance (again about once per 1.5-2 weeks) I have to log in with my Librem 14 and restart sway+wayvnc, then restart Waydroid, which clears out the container back to running again

3 Likes

You should question this. If they just mean “Linux is not supported” then, yes, that goes with the territory.

If they mean that “you have to run some shitty, insecure, unprivate app that is not available for Linux” then there is a problem.

What are the 2FA options with this provider? Is SMS an option? Is email an option? Is TOTP/HOTP an option?

2 Likes

Just read through most of this. Seems like there’s no full way to replace Microsoft Authenticator without going to relative extremes.

This is probably the one barrier I can’t (so far) work around as my company also uses Microsoft to get on to its corporate login as well as now, the project I’m on using an absolute metric tonne of various Microsoft, O365 and AWS verifications.

1 Like

Partly I go to the extreme because I felt like it. If you run Waydroid to run the app locally on the L5, it would probably work. I only ran Waydroid on my 3GB ram version. 4GB ram might run even smoother.

2 Likes

I have been in a similar situation actually, TOTP was working fine with a nice open source, encrypted solution I had spent hours putting together, then one day they changed the rules. Thankfully I didnt end up needing the app, but this is an issue for people in the situation where a sudden change like this happens.

So if some of that stuff in the apps, like “libfacebook” included a low level hardware escape to embed itself, wouldn’t embed into the Librem 5 itself?

I’m curious about this as well. Interesting if Purism could comment. I dont know if the L5 has IOMMU support that might be a way to mitigate it, though there are some “trivial” exploits if interrupt remapping is enabled (see also 1, 2, 3, 4)

I am also curious about the potential danger when flashing the phone from a non-free device, if it can ever really be trusted again 0.0 (though purism does seem to have a secure boot implementation using the pgp smart card)

You also mentioned you are paying a pretty penny for the server, could you possibly in some sort of headless mode, or I think some remote desktop solutions allow you to take a screen shot, so you could get a screen shot of the code sent too via some channel instead of logging in and actually interacting with the app (or some other scripted solution to get the code) making a less performant server tolerable or avoiding the need to actually render anything. Also I think waydroid is designed to be able to run a single app

Im also a bit surprised it does not come with microg by default

Compared to the Vanilla android, this variant seemed sickly and made alert sounds with constant notifications quite literally making a “wee woo wee woo” sound to tell me that Google does not approve of Librem 5.

My server is in the “cloud,” a nonfree thing in a nonfree cloud that unlocks a nonfree login

:laughing: You are my sarcastic paranoid bretherin, your hilarious and appreciated.

1 Like

Maybe so, but what I was saying was also my serious attempt to express the accurate state of things, even if how I chose to describe it might have been a little silly.

1 Like

I agree, I take it seriously, I share many of your opinions, I didn’t mean to indicate otherwise, sorry if it sounded like I dont.

1 Like

In my case, the app does not provide an unlock code. Instead, the app contains an in-app button, which itself fires back the message to Microsoft/Google to unlock.

My general impression was that the work upgrade to this new system came at exactly the worst time for me, when I didn’t want it and my Liberty Phone had recently arrived and instead I wished to celebrate furthering my venture into this space rather than to be kicked out. So I spent quite a long time trying to figure what hackery could be accomplished by decompiling this app and mimicking it. But Microsoft and Google have more money than me, and could at every step construct systems with intention to thwart anyone who would not use the actual Android app. I do not have interest in further attempts to investigate the possibility of reverse engineering this thing, unless perhaps if my existing solution ceases to function. The time cost, when I could do something else with my life, did not feel worthwhile. That isn’t to say that everything I do in my life is a good use of time; certainly many things are not. But if you’re going to investigate reversing this app to create a command line mimic, you’re going to have to do it without me for the time being.

Edit:
That’s not because I don’t want it. It’s because the people on the other side are conscious. They might be reading this, having boardroom meetings about how to kill off what they see described in this topic. In this case, their evil is done with intention. If it were not, MICROSOFT would allow us to authenticate using WINDOWS in order to promote the idea that WINDOWS was secure and/or worth buying. I own an EXPENSIVE MICROSOFT SURFACE that they are effectively telling me is not sufficiently secure to DO A BASIC LOGIN. [Yeah it’s evil nonfree tech, that’s a whole other problem in my life, but whatever.]

So, anyway, we are seeing either (1) maliciousness, or (2) negligence.

The extraordinary complexity of the app’s internals gives rise to me having the belief that of the two, we are seeing #1. If you reverse their app and build a replica, they will do an update to kill your replica. We’re talking about creating a potentially lifelong job for a free software enthusiast, and simply for the purpose of logging into work in a way that their employer can trust. If they jump in and take it seriously they wouldn’t be doing their job and would lose the position, and if they don’t take it seriously then they’ll fall behind in maintaining their anti-malicous-ness tool.

So I really do think that for me the best solution is emulation & faux submission. They can have security through obscurity by requiring the user to effectively execute an insane hodgepodge of decision networks too complex to mimic, but they probably can’t detect if the application is running on an Android that is “simulated” or not, because if they could detect that then we would just build a better simulator and that’s a more broad worthwhile endeavor that’s more likely for many people to be interested in and to possibly collaborate on.

2 Likes

In my case, the app does not provide an unlock code. Instead, the app contains an in-app button, which itself fires back the message to Microsoft/Google to unlock.

Didn’t realize that, I thought i provided a code through this system that was visible too the user.

This sounds similar to google’s 2fa with android where if you try to sign into a google account it wont exactly send a code but will display 3 numbers and you have to tap the correct one on your android device. I wonder if it uses a similar architecture :thinking:

That is quite frustrating, it is unfortunate that IT departments expect these sorts of things on personal devices or on personal networks. I do get that a lot of programs need windows and users are use to windows, but I am not sure I get depth of the total investment of so many IT departments into Microsoft/Windows.

I do not have interest in further attempts to investigate the possibility of reverse engineering this thing

Rather than the app/protocol I was more thinking waydroid might have some sort of headless solution especially where a code is not displayed graphically, so the app could be run without modification just with less resources and maybe a few scripts/input replays could be used to interact with it. But I really wouldn’t want to put much more time into this either.

If you reverse their app and build a replica, they will do an update to kill your replica

Yep

1 Like

Sorry to interrupt again in a technical / productive discussion, but for a newbie like me about to receive a Librem 5, is there an easy way to get Authenticator or an alternative setup running on the Librem 5?

I know running Android apps is a no-go, and even if it were possible, it totally defeats the purpose of having a privacy respecting free-phone.

I was wondering if there was some sort of open source alternative that can scan the QR code needed to be scanned by my work? I don’t know if they have ultra-strict setup requirements. I know we can’t access email on our own external laptops / computers but we can access it via InTune on personal iOS / Android phones.

1 Like

I’ve briefly tested this one (OTPclient): List of Apps that fit and function well [Post them here.] - #253 by amarok

I believe several forum members have mentioned others that work.

2 Likes

If I open up the Camera app that came installed by default on my Librem 5, and point it at a QR code such as to access the menu at a restaurant, the QR code highlights in blue and when I click it the menu opens in the default browser.

Gnome Authenticator exists but I had trouble with it. For websites using generic TOTP 2FA such as GitHub, JetBrains, 1password, and Codeberg, I have a command line solution. I installed oathtool with apt. I have a 2FA folder with my secret keys and a shell script for each site, which generates a 6 digit code based on the needs of that site. For example:

codeberg.sh:

#!/bin/bash
oathtool -b --totp=SHA1 @codeberg.txt

Running the script for the given site outputs an instance of the required 6 digits.

Unfortunately, the Microsoft Authenticator for my work stopping accepted this, because Microsoft are evil and allow IT administrators to require users to do Android/iOS push notifications.

Anyhow, having a command to power my 2FA means I can easily transfer my secure keys and the power to use them into any device, or build a GUI that would display this information, all with relative ease.

3 Likes

I never used QR yet, but I thought the link will be displayed and I can choose to open it or copy it (to edit it if needed). Was I am wrong about? (Sorry for off-topic question.)

1 Like

The link shows but is difficult to read due to blue text. There was probably a button to copy it instead of opening it directly but I’m forgetting off the top of my head. Primarily my point was that it is functional, and has worked fine for me, if we look at it from an ease of use perspective rather than a security perspective.

This does not necessitate that all QR codes will work, but it means there is at least one case that will.

2 Likes

I know right. It was just a question that came up to me, thanks for replying.

1 Like

Seconded.

Unfortunately this is an app that, for now, remains on an old iPhone.

1 Like

It seems we really are stuck in the system with things like this. Most corporate jobs will require logging into some kind of usually Microsoft infrastructure. And yet they are ‘good boys’ in the eyes of the tech press with adding Linux to Windows etc a while back… But as an end user, one rooted in Apple, they did sh*tty things like removing the watch app for quickly tapping the authenticator number… I mean why have it, existing and working then remove it… If I stay on Apple, I can’t wait to completely ditch Authenticator for its upcoming password manager app.

1 Like

So far, I’ve been able to take a hard stance of, “If you want me to use a phone for work, then you provide the phone.”

7 Likes

They provide me with one, a £150 Samsung but I’ve always put their sim in my iPhone and used the ‘esim’ for my personal number to avoid me having to carry their Android phone as I don’t want Google spyware in my pocket

1 Like