Profile picture of Ru Campbell
Published: October 29, 2025
62
116
721

ICYMI: Microsoft Authenticator for iOS + Android will detect, prevent, then wipe Entra creds on rooted devices (MC1179154). • Phase 1 (warn mode) begins February '26 • followed by Phase 2 (block mode) • then Phase 3 (wipes Entra creds) • expected to be completed ~April '26

Image in tweet by Ru Campbell

@rucam365 Should have been done years ago

@mwfowlie @rucam365 And this sets a precedent that most other 2FA managers will follow. This isn't a security assessment, it is a jail assessment. Aka: are you trusting us completely from boot to app? This is not your device so no other secure OS is allowed, only ours with our ads and telemetry.

@Tiky8192 @rucam365 It’s completely security related. It prevents rootkits and similar security issues.

@mwfowlie @rucam365 I agree that's one of the goals, but it comes at the cost of freedom and resilience. Every device now shares the same roots of trust. It works well until there's a breach, then everyone is affected at once (no diversity). It delegates trust to big tech rather than letting

@Tiky8192 @rucam365 That’s a complete non starter when it comes to things like insurance and financial risk.

@mwfowlie @rucam365 Why wouldn't insurance firms evaluate other security tools like on PC? Sounds like financial services, the first to adopt safetynet by default, decided they were co-owners of all mobile devices just because they can process transactions. Yet, I can still purchase via PayPal in my

@mwfowlie @rucam365 Yea sorry I'm a bit frustrated by the dual-standard and by devices looking more and more like rentals. I wouldn't imagine using my PC and having PayPal tell me I can't login because I can sudo to root.

@Tiky8192 @rucam365 I haven’t used PayPal in a while but I can comment on other financial institutions. For example, many require 2FA on a per new recipient level, where the 2FA couldn’t be used for a different recipient even if your machine is untrusted.

@mwfowlie @rucam365 I see where this is going... Microsoft 2FA first, then others follow. Once everyone's onboarded, replace HMAC-SHA1 TOTP with "TOTP-2.0" that requires hardware attestation. Rooted devices relegated to insecure SMS as "legacy devices." Tell me that's not the plan.

@Tiky8192 @rucam365 If you want to access financial institutions, corporate intellectual property, streaming content covered by copyright, etc. then absolutely this is going to happen.

Share this thread

Read on Twitter

View original thread

Navigate thread

1/11