[el_duderino]

The permissions their Android 2FA app requires seems a bit much for its purpose.

The app has access to:

- Identity

- Contacts

- SMS

- Camera

- Device ID & call information

- Other

https://play.google.com/store/apps/details?id=com.microsoft....

Am I the only one who thinks that?

[Maarten88]

You can use several other 2FA apps such as Google Authenticator if you do not trust the Microsoft one, they are compatible.

That said, personally I do like the Microsoft Authenticator app very much, it's just a single tap on the phone to confirm the 2FA login, which is much more convenient than retyping a code. Disadvantage is that the Android version of the Microsoft Authenticator app can only have one account, I could not connect a second 2FA service (LastPass) to it.

[aroch]

I can understand Identity, SMS, Camera, and Device ID/Call info.

Identity: Find or manage any Live/O365/MS account on your device

SMS: Read enrollment text message or backup texts (e.g. no network) for pushing auth requests

Camera: Enrollment via QR code

Device ID / Call info: Needed to reliably push notifications / send SMS + get phone number for verification texts whatever

Android's permission system is sort of obtuse

[Sami_Lehtinen]

MS 2FA fails, you can still use IMAP to fetch email and stuff, without 2FA. So it's only partial implementation. Of course it prevents "completely taking over the account", but even if it's enabled you can still do a lot without providing 2FA code.