Ján Trenčanský
Merill Fernando 
Microsoft Authenticator is about to wipe work accounts from jailbroken/rooted phones automatically 👏.
No IT config needed. 🔥
3-phase rollout starting Feb 2026:
⚠️ Warn → 🚫 Block → 🗑️ Wipe
Let your help desk and security teams know.
Wow. So a LOT of you folks are not happy.
The good news is your org can still allow you to use passkeys and other Authenticator apps.
Joan of Contention 😷
TheKilt 
zsapi@merill The orgs won't allow employees to use anything else, and you know it. Sadly you are not the first to require non rooted devices, but it is still another step back for freedom and privacy. Let us use our general computing pocket device as we wish. Or at least allow orgs to toggle the need for this. Though most will just enable it without question.
Xavier
Nacho
Fluffy Kitty Cat@merill in other words, devices that the users control, instead of controlled by someone in the Epstein files
George Liquor, American
George BYou can opt out any time by showing documentation that you are in the files (tangentially mentioned because they cited your work in an email does not count sorry)
Björn@fluffykittycat @merill It's kind of a grey area. They are right that open bootloaders are a security issue but then also you can relock it on some devices.
In any case I don't think I would use the Microsoft Authentication app anyway unless I have to.
In any case I don't think I would use the Microsoft Authentication app anyway unless I have to.
derptron@thaodan @fluffykittycat @merill Why?
The keys and such associated with the authenticator app should be in a TPM. Something the bootloader can't touch. It can't get the private key to then send it to whoever.
The bootloader could attack in other ways and get the info you're accessing once logged in, but I don't think it can mess about or bypass the actual security mechanism.
I think they're trying to sell bullshit here so the ignorant support them as they lock us all down.
@thaodan @fluffykittycat @merill On phones without a TPM that's obviously not the case, but there are fewer and fewer of those and will be fewer still.
@crazyeddie @fluffykittycat @merill The bootloader itself isn't the concern but the kernel and what is started afterwards.
It is a factor even if they only use it as an excuse. Most phones don't have a TPM but an ARM trustzone which can run a software TPM. The problem is that modifying or writing isn't possible low level only over the OS or vendor API's provided.
It is a factor even if they only use it as an excuse. Most phones don't have a TPM but an ARM trustzone which can run a software TPM. The problem is that modifying or writing isn't possible low level only over the OS or vendor API's provided.
@crazyeddie @thaodan @merill unlocked bootloaders are a moral imperitive. Not to mention all the ewaste created by locked devices not being repurporsable
@fluffykittycat @merill @crazyeddie Context? Nobody in the thread said that devices where users can't unlock bootloaders are a good thing.
Users should just be able to relock it. Locking bootloaders doesn't block flashing it just ensures that only code signing with the owner of the keys in the bootloader can be used, the owner of these keys can be the user.
Users should just be able to relock it. Locking bootloaders doesn't block flashing it just ensures that only code signing with the owner of the keys in the bootloader can be used, the owner of these keys can be the user.
@thaodan @fluffykittycat @merill Yeah, I can't re-lock my phone or I believe even put the bootloader into write-only. Sucks.
@crazyeddie @thaodan @merill yeah, locked bootloaders imply the person who purchased it doesn't get full ownership rights over it
@fluffykittycat @crazyeddie @merill You have to separate the technical from the ideological part. As long as the user has the control for en- and disable the bootloader signature verification they are perfectly fine. There are parts of the device users shouldn't reflash thou such as the radio configuration.
Klaus FrankSoo instead of just rooting a phone one needs now to also deploy 38473894 shady scripts and workarounds to hide it from Microsoft Authenticator?
Congratulation on improving security (NOT).
1.3.6.1.4.1.61513Ehm, the azure codes are a bit different than the TOTP ones. Their app also has a kinda proprietary auth code format too. I think it is mainly about them. As for all others you literally just have to store a picture of the QR-Code you used to set them up...
Edit: But yea, it probably will end in there being a shady cracked version of the Microsoft Authenticator App that continues to work on rooted phones...
And make your employer pay for it. I got my work phone when I refused to put a similarly shitty 2FA app onto my personal one.
I just said I've a PinePhone with Postmarket OS and I'm not going to buy a new one just for that. + I asked if they'd cover damages for any data deleted because of someone hitting the "wipe phone" button in the MDM that would have come with it accidentally (or on purpose).
The phone was cheaper for them than continuing the discussion btw :p
Eleanor LNR Blair@merill I have to admit one of the reasons I use the web application for Outlook on my phone is because installing the Outlook app and adding my work account to it would in theory give work access to control (parts of) my phone - which I don't want. I didn't think the authenticator alone would give that level of access to the device though!
Is this likely to just drive more people to switch to using Google's authenticator (or another TOTP app) instead of the Microsoft one? I do anyway, because I was already using it for other sites, and it was easier to have them all in one place. You'd lose push authentications: but I feel safer without those anyway!
Resuna
Jyrgen N@lnr @merill *If* you consider using another TOTP app, I recommend 2FAS Authenticator. Other than the MS and Google authenticators, who are incredibly greedy data harvesters, 2FAS phones home nothing but anonymised diagnostics data. (It does, optionally, sync/backup on Google Drive/iCloud.) Has been working well for me for years. Open source, on Android and iOS.
@jyrgenn Mostly I just save them in my password manager these days, which kind of makes them a bit less "second" factor, but improves convenience.
@lnr I have done this in one case so far, and by $deity is it convenient! I am a bit conflicted about it, though, because of what you say. But then the usual scenario from which a second factor is supposed to protect you (or your organisation) is not a compromised password manager, but phished or sniffed credentials. (1/2)
We have heard of weaknesses in (some) password managers, but I think I haven't heard of a really compromised and exploited one. Has anyone? I may have missed it.
So, in the end, I may indeed at some point move all those 2FA secrets to my password manager. Maybe when I am retired, so at least there is no (theoretical) harm for $ORK. (2/2)
@lnr
Markus Sugarhill 
@merill thats why I neither use MS Authenticator (rather bitwarden) nor Outlook on Android (rather Ninemail)
dmi 💽 
amy@[email protected] @merill good guy microsoft protecting us from big scary threats whilst locking token protection (the primary defence to phishing your creds out) behind expensive entra licenses. be so fuckin fr
kuriko
Bernard Sheppard@merill magisk module to hide root incoming in 3, 2, 1...
Arik@merill this idiocy looks like something @GrapheneOS will want to respond to. Microsoft doesn't care if the OS has the latest patches, only that it was certified by the duopoly.
Adam Beer
Clemens ZaunerWell another pretty bad idea. You seem to have quite a streak with those, lately.
Time to stock up with popcorn and wait for the fallout.
Krazov
Sarah [7252]@merill is this a threat or promise?
Graeme 🏴@merill Who is using MS Auth anyway? Not me for sure! Another reason not to have or use an MS account...
Hmm, I would never in my life install any M$ crap on my /e/OS ungoogled Fairphone. It's not rooted, but I guess it's also among the undesirables...
For authentication to our goddamn work accounts on M$, I use AEGIS. Or the standard authenticator on Linux Mint. Export/Import between the two works like a charm.
And it could well be that we are moving away from microslob in the not so far future. Unthinkable not so long ago. Halleluja!
Oriel Jutty 
@merill Thank you for sabotaging my devices.
silhouette 
@merill I'm gonna go out on a limb here and say that users that jailbreak their own private device wouldn't use MS Authenticator, and on company devices jailbreak wasn't allowed anyway.
@silhouette @merill people are expected to put this on their personal devices
@fluffykittycat @merill ah, the famous "use your own private resources for the benefit of the company".
xrvs@silhouette @fluffykittycat @merill how else can we call you when you’re supposedly sleeping or on vacation?
Eggs now in different baskets.@merill Blanket bans of any sort implemented by large and powerful companies always produce false positives that hurt non-customer that have to interact with their systems no matter how obliquely.
I do not use any Microsoft product or services directly but I am sure I will discover ways that this change will affect me. Likely at a moment I need to do something urgently.
Never forget Scunthorpe!
🔻 aetios 🇪🇺@merill wow cringe
Jeffrey@merill people making a mountain from a molehill? On Mastodon? Never expected it…
Yes, it’s shitty. But:
- You can do non-Authenticator passkeys now, from other apps that you can use on non-Android devices
- If device-bound, Authenticator native passkeys are forced on your work device, you did not had a say in the matter already.
- If device-bound passkeys are mandated on your personal device, reject the use of work apps on your personal devices and get a security key instead!
OmnivoreJailbreak/root detection in Microsoft Authenticator.
Between Feb to Jul 2026, Microsoft will introduce jailbreak/root detection in Microsoft Authenticator. Rollout will occur in three phases, and complete in July 2026.
Warn mode:
Your device is rooted.
You'll eventually be unable to add or use your work or school accounts on this device.
This device has been modified to bypass built-in security protections. You can no longer add or use a work or school account on this device
Contact your organization's support team for help.
Block mode:
Your device is rooted.
You can no longer add or use a work or school account on this device.
This device has been modified to bypass built-in security protections. You can no longer add or use a work or school account on this device.
Contact your organization's support team for help.
Wipe mode:
Your device is rooted.
You can no longer add or use a work or school account on this device.
This device has been modified to bypass built-in security protections.
Your work or school accounts have been removed from this device to protect your organization's data. Contact your organization's support team for help.
Justin Fitzsimmons@merill what exactly is the threat model that makes a rooted device risky for an authenticator app?