AndroidFuck em. I just got grapheneOS and I advised my workplace we will need a workaround for authenticator.
I mean...okay?
I have a work phone for this exact reason.
work phone stays on my desk. I have removed the microphones. I turn it on at the start of every day, and turn it off at the end of every day.
good luck with that plan Microslop. looks like Microslop is trending too!
Oh no
Anyway
Microslop authenticator might not work for my zero Microslop accounts, lack of Microslop sloperating system, OR their piece of shit cloud platform that I refuse to touch?
WHAT WILL I DO
That doesn't make sense to me, afaiu :
GrapheneOS is NOT rooted by default, and they explicit recommend NOT to do it, because it invalidates a huge part of their privacy guarantees.
Use Aegis.
The MS Authenticator contains analytics & telemetry & way too many permissions and should not be used: https://reports.exodus-privacy.eu.org/en/reports/com.azure.authenticator/latest/ (it looks more like a scam than legitimate, but that's exactly what Microslop is in 2026...)
For comparison, Aegis is a legitimate app that only does what it should do: https://reports.exodus-privacy.eu.org/en/reports/com.beemdevelopment.aegis/latest/#permissions
Any other authenticator also works with any MS service so there's no reason at all to use the MS Authenticator unless you like handing over more data to MS for no reason. EDIT: According to comments, your company might have the option to enforce usage of MS Authenticator only. But this doesn't seem to be the default, at least in Germany where I've heard from 2 sources that they can use any authenticator app for M365 for example.
By the way, Graphene OS is NOT rooted, but what does truth or sane app behavior even mean anymore for Microslop in 2026... Just stop using that garbage.
Agree for personal use.
Professionally I've had situations where Ms authenticator was the only option because the only 2FA they allow is push notifications on the authenticator app. :(
I even used freeotp+ for my ORG 2FA and aegis for my personal so I could easily keep them split ( and you can export / securely store the backups somewhere ).
Time to get corps to ditch Microsoft >.>
Professionally I’ve had situations where Ms authenticator was the only option because the only 2FA they allow is push notifications on the authenticator app.
If a company requires me to install specific apps that may or may not work on my device, I expect that company to provide me with a device that can be set up for their stuff.
I've run two separate phones for nearly 15 years now: my personal phone, and a work-issued phone. The work phone is turned off and left on my night stand as soon as I get home, and only turned on again when I'm getting ready to go back to work. I don't carry it 24/7 as some have been led to believe, for some reason. It's really nice to have that separation. And work pays for it.
We do need to get corps to move away from closed source protocols like MS, Google, Meta and others push notifications though. Those are not in anyway safer and are just basically trap to force people to use their apps
Anybody have a good reason to not use Authy? I've seen Aegis mentioned quite a bit but nobody supporting/dunking on Authy. I thought they were one of the more popular choices.
Authy is closed source and owned by Twilio, a publicly-traded company.
Aegis is FOSS.
Do what you will with this info.
Authy also doesn't work on GrapheneOS.
EDIT: And Authy scrapped their desktop apps. I'm using ente instead.
https://f-droid.org/packages/io.ente.auth/
That makes sense. Thanks! I don't use graphene but I do use authy and wondered if I should be reconsidering my choices 😅
That's fine.
Any job that wants you to use certain software can provide a device it'll run on for you.
Yep! You want me to use your microslop on your hardware at your company, fine.
A company that has you use your personal device is an awful company and huge red flags in terms of privacy.
Amen to that. Even if your computers will run it, provide the device. I'm not installing shit on my home computers.
My job has suggested it to me. I say "you know how all these computers run Windows?" They nod. "Mine doesn't. It's a Mac." That usually shuts them up. Never mind that most of what we run will, in fact, run on a Mac, and there's very little a shitty Wintel box mass produced for the enterprise can do that my Mac can't do. I mean, I can run Deus Ex natively on the work computer, if I wanna catch hell for it. (But it would be fucking hilarious, especially if I'm at the part where JC Denton hands in his "resignation.")
and it goes in an old microwave in the laundry room when not in use. right? this isn't crazy in this day and age is it?
IS IT???
Trunk of the car is fine if you just head straight home. That's out of mic range. And your employer is going to know your home address anyway so location access is whatever.
Bring it inside when you go on a road trip.
Interesting considering grapheneOS does not actually support rooting.
This is the thing that kills me about the corporate anti-GrapheneOS sentiment. It is 100% a more secure phone, and yet every measure they implement against it cites security as a reason. Total and absolute bullshit.
Because it isn't really about security. It is about control.
I mean, they argue against rooted phones as a security reason, but my rooted phones used to be much more secure than they were when they were stock.
Just more of the same idiots ruining shit for everybody.
So win win.
Unfortunately not for me. I use Graphene and my company uses M$croslop.
Work stuff should be on a work phone.
I don't understand why either the worker or the company would ever allow the use of personal devices for work.
Because they are cheap and their tech lead is probably incompetent.
This is Walmart in a nutshell. A majority of the work phones at my store (used for stuff like inventory management) are Samsung Galaxy XCover Pros from like 2016. They were trash the day they released and they're especially trash now. The company is very slowly replacing them with Pixel 8s (like one every six months comes in). It is legitimately frustrating.
Why pixel 8 in particular? Wouldn't an A series pixel be cheaper.
Some businesses don't pay for phones but agreed
That's their point. If the company requires you to use a phone, they need to provide it.
They can also just let you go for someone else who has no clue about this and gladly would use their private phone for work. Depends on the job and company, of course.
That's dangerous thinking; "if I don't then someone else will." That's a common excuse that thieves use. And it's you doing the work of your oppressor.
Standing up for what you believe in isn't always easy, but it's always the right choice.
You don't want to work for a cheap company.
my work pays my cell phone bill if I install Microsoft teams, and frankly that's a pretty good deal
With that money, get a second one and it's it only during work ours. Doesn't even need connection, use WiFi of tethering.
that sounds annoying. I'd rather just have it all on the same device. I can enable and disable work apps on a schedule if I'm bothered. I don't want to deal with two devices really
If youre in the US and your company is paying your phone bill, they are legally allowed to access your location via cell towers at any given moment. That, in combination with the fact that they can also legally take the phone from you (You have company trade secrets on that device if you install their software), I dont see the point in risking not having a 2nd device.
you're gonna have to cite some sources here because I don't think there is actually a legal requirement for these things.
the work apps require Internet access to even open and the contents are encrypted. this has all been figured out
So does my company
So didn't have to instsll intune or anything?
yeah but you can disable most of it's invasive permissions so I'm ok with it
Not all works would allow it, but why not Graphene on work phones.
What happens if the worker doesn't have a smartphone, or has one, it breaks and they don't have money to buy another for while, or what if they install a random app that encrypts their mailbox?
Even if you live in a 3rd world country where employers can force it, it's a stupid decision for the business.
I don't understand your line of questioning. If a bad thing happens then a bad thing happens. Potential for bad things indeed makes companies likely to lock down devices if they provide them, hence the qualifier "not all works would allow it." From an employee perspective, if you have the freedom to do it then more secure OS is more secure.
I can tell you what we do. Here's your yubikey. Then most find a new phone after a couple weeks.
Old phone with remote desktop.
Works like a charm for many of these types of things. You can also forward notifications into NTFY or Matrix.
It's a dark pattern but you can use any MFA provider with Microsoft services.
Not necessarily. Microsoft's authenticator has an option where you have to tap a notification to approve, which isn't a standard TOTP thing. If your company requires that version of MFA, you pretty much have to use Microsoft's authenticator.
Aw shit, this sucks because my company uses this authentication method.
I guess when the change finally happens I'll just be saying 'you owe me a phone for this'. Absolutely no way i am going back to Android just for this on my personal phone.
One possible workaround is to add more options to your security info in your work account. For example, I added my number and also a specific password as an option last year when I moved onto Graphene and had to update that info. Would that be an option?
Unsure if that would even work or if those options are more for account recovery (when no longer have access to a specific device)
If it cane down to it, I'm sure you could find an old phone or tablet to use just for that for work.
Yeah, this is what might be the final outcome
If i say give me a phone and they say "no, come into the office instead of working from home", I will produce an old phone faster than ya ckuld blink lol
You can use a different authenticator with M$ accounts. Just choose to set up with a different app. Aegis is nice.
Iam using aegis for my private logins. As I understand does Aegis not support MS Entra Logins.
I believe there's an admin option to allow 3rd party TOTP generators, so perhaps your IT admin turned it off. M$ doesn't make it a terribly conspicuous option when setting up 2FA as well.
Can't use freeOPT?
Not sure about this one, but many don't expose the key used to generate the codes, it's linked to your user.
So it's not trivial/possible to use a FOSS alternative.
This happens with okta too.
No MS authenticator also requires internet and gives saysbis this you. Also requires a number.
So does mine, and Oracle.... But that just means no slop installed
MS MFA allows to use a different Authenticator App. On the step called "Start by getting the app" you just need to press the blue text above the "next" button which spells "I want to use a different authenticator app", there you can use whatever you prefer, even WinAuth works with this method.
This depends on settings I think. I've had that option not being available on a certain client where I could only use their authenticator app.
My school_requires_ MS authentication and removed this ability and broke any third party authenticators currently in use.
I've used the FOSS app Aegis on Android for MFA of what I think was a Microsoft login (it was a website for a railway technical authority in the UK).
The app is on fdroid:
https://f-droid.org/packages/com.beemdevelopment.aegis
Thats intetesting, Iam using aegis in private.
Do they mandate the use of MS Authenticator specifically, though?
The option to add that restriction is definitely there, but it's worth checking your account settings to see if it'll let you use a different MFA option.
The whole company uses Microsoft. I guess there is no chance for me.
This is what I fear will happen to GOS on Motos. Google decides to mark them as rooted so buh-bye banking apps and others that require a "secure" os.
Another banking app thread, fun! Don't use phones for banking. One just trades privacy for perceived convenience. For "safety" you give your bank:
- Unnecessary lower-level system access than normal apps, for SAFETY!
- Your location as often as they can harvest it
- What apps you have installed
- Any metadata they can exfiltrate through trackers in the app that can be mated with metadata from other app trackers
- Any personal information they can gather from your phone
Furthermore, if you use tap-to-pay, which some banks require their app be installed to use, you're then giving every transaction you do, with or without tap-to-pay, to the operating system provider and any third parties along the way. Use your credit card at a store and the phone's at home? That transaction still gets scooped up.
Finally, you have this object you always carry with you, that has access to all your financial information, that a bad guy just has to punch you in the face to get you to log into your bank and delete all your money. Bravo! With a card, it can be shut off afterwards, and the bank can mark any transactions happening afterwards as fraudulent. With a phone app, they can Zelle themselves your money and the forward it to some cryptocurrency and good luck. Then clean out your RobinHood, your DraftKings, your CoinBase, your 401k, and anything else they find along the way.
Use the bank webapp if one is desperate.
Banking. On. Phones. Is. Stupid.
Except they're not rooted - GOS devs don't even approve of root usage
It doesn't matter if they are or not. Google can deem them modified or not secure devices and they can do fuck all about it.
The difference being that Motorola is a well established device manufacturer and not just a community project with minimal funding. Google using play integrity to exclude a competitor could be very easily seen as an abuse of market power and they already have problems with antitrust laws.
Not with the current trump administration. They can do whatever they want
other countries exist
All these banking apps need google play for the freaking 2 factor code sent via text to work.
Why can't I setup TOTP for these? Banks I am looking at you.
Cool, the fewer people using Microslop apps, the better.
I don't think there is a single person that has installed Microsoft authenticator by choice.
Especially not someone on graphene OS.
That's cool. Guess my company is going to have to send me a new phone.
Honestly thank you for posting this. Lest I would've lost my Google and Microslop account.
Use your work phone.
I don't need a Microsoft account and if Google insists, I will kill my account with them as well.
good thing i'm leaving windows asap
Oh this is some bullshit. Anyone know of a decent FOSS(ish) alternative?
I've heard Aegis being mentioned.
Yes I love Aegis.
I have been usingnit for Ages, haven't had a problem.
Been using it for years. No issues at all.
Aegis
Ente Auth
Fuck Microslop and fuck Google.
Unless on Motorola devices (soon).
I hope it's like FairPhone where you get to choose android or Murena/e/
We wouldn't want any Graphene OS device to fulfill the requirements necessary to be certified. That would make it useless.
'Rooted' doesn't mean rooted, it means the Google API it checks against says no. And is unlikely to say yes on any device that isn't 'official Android', with Google Apps having System access.
Googles been getting in trouble for requiring Google apps to he certified. So maybe they allow grapheneos through to say see we don't knowing it well be very niche.
Like my other comment said to someone else, so much for Android "OPEN SOURCE" Project, huh? Only OK if its stuffed with Google shit to make money from?
Make no mistake. If Google does not certify GrapheneOS on Motorola, these devices will be flagged as modified by Googles API just like on any other device.
So much for Android OPEN SOURCE Project, huh?
Only "open source" if Google gets to profit from it?
Works for me.
Microslop Authenticator might exclude GrapheneOS in the future due to root detection
