I agree with the first part but vehemently disagree with the third paragraph.

I suspect it varies wildly based on where you live, but in Chicago there absolutely ARE places with waitstaff worth getting a burger from.

I drink my whiskey straight from the Klein bottle.

Then you apply the scientific method and/or research in search of truth.

• https://en.wikipedia.org/wiki/Scientific_method

• https://en.wikipedia.org/wiki/Research

I’m not sure about color support without HTML or add-ons, but Obsidian is a good markdown editor with a lot of functionality and extensibility.

It’s not open source but it runs on everything.

Look man, it’s okay to be wrong. It’s a natural part of growth.

But when you double down on your ignorance instead of taking the opportunity to open your mind and listen to the experts in the room, you just end up embarrassing yourself.

Try to be better.

We can restrict the use of software TOTP, which is what companies are doing when they move users onto the MS Authenticator app.

Admins can’t control the other TOTP apps like Google Authenticator or Authy unless they go full MDM. And I don’t think someone worried about installing the MS Authenticator app is going to be happy about enrolling their phone in Intune.

Edit: And even then, there is no way to control or force users to use a managed device for software TOTP.

This is incredibly well said and I agree 100%. I’ll just add that software TOTP is weaker than the MS Authenticator with number matching because the TOTP seed can still be intercepted and/or stolen by an attacker.

Ever notice that TOTP can be backed up and restored to a new device? If it can be transferred, then the device no longer counts for the “something you have” second factor in my threat model.

While I prefer pure phishing-resistant MFA methods (FIDO2, WHFB, or CBA), the support isn’t quite there yet for mobile devices (especially mobile browsers) so the MS Authenticator is the best alternative we have.

There are two different, and only slightly related, things here:

1. Access to company data through your phone (via Teams, Outlook, etc)
2. Using your phone as an MFA device to access company data, even on your work-issue laptop and to access browser-based SaaS apps like your payroll system.

The first absolutely can and should depend on the age of your device. MAM or MDM policies combined with Conditional Access should block older devices not receiving security updates from accessing and storing company data.

The second, assuming they are now requiring phishing-resistant MFA, only requires that you have the Microsoft Authenticator app installed (FIDO2 and CBA are alternate PRMFA methods, but more complicated to implement). The MS Authenticator is supported on Android 8.0 and above and your S8 supports Android 9.0.

So unless there is a job requirement to use your phone for email and Teams – in which case they should definitely offer a stipend or CYOD phone – you should be fine just installing the MS Authenticator app on your phone and using your work-issue laptop for email and Teams.

Edit: I just saw your other comment that they use Duo. In that case you might be hosed since it requires Android 11.0. I’d at least start by opening a ticket with the help desk and keep an email trail with your manager of what part of your job you can’t do. But they should be able to provide a method of authentication that complies with their policies.

While I can’t speak from experience, I would imagine this isn’t terribly uncommon for black people in America at least (and other people of color).

There’s still a lot of systemic racism over here, so unfortunately sometimes you have to mask who you are just to approach being treated the same as white people.