GrapheneOS: Microsoft Authenticator does not support secure Android OS

Last week, Microsoft announced that the Microsoft Authenticator will delete Entra ID accesses from the end of mobile devices that it detects as rooted or jailbroken. GrapheneOS is designed for security and privacy-conscious people; however, Microsoft does not officially support it. The use of Microsoft Authenticator with Entra ID accounts is on shaky ground there. The company announced this when asked by heise security.

GrapheneOS enjoys an excellent reputation regarding data protection and security. It can be used on Google Pixel smartphones in a particularly data-saving way, but it can also use Google services, keeping them on a leash: they start like all other apps in a sandbox with permission management. Due to its broad compatibility with, for example, banking software and streaming services, which do not start on many custom ROMs, GrapheneOS has become one of the most popular custom ROMs. The developers are quick to close security vulnerabilities, and sometimes GrapheneOS code even flows back into the Android project.

At the Mobile World Congress (MWC) in Barcelona, Motorola also announced on Monday this week that it officially supports GrapheneOS. This means the secure operating system is no longer exclusively found on Pixel smartphones. Motorola aims to do nothing less than “redefine smartphone security with GrapheneOS.” GrapheneOS will thus bring a “hardened security core” and “protection against complex threats.” Motorola wants to offer “special highly secure devices” that can be used in companies, authorities, and so on.

More secure custom ROM is not enough

GrapheneOS thus appears predestined for the secure use of corporate emails and for secure data exchange via smartphones. Since many now equip their services with Microsoft's identity management offering Entra ID for login, Microsoft Authenticator is important for use in companies. It serves as a second factor for login. Entra ID accounts must therefore be usable with the smartphone app, or users will be locked out.

A Microsoft spokesperson told heise security in response to an inquiry, “Microsoft Authenticator is not officially supported on GrapheneOS, and Entra accounts may be impacted in the future on devices running GrapheneOS that are detected as rooted.”

It is unclear whether GrapheneOS devices will generally be recognized as rooted by Microsoft Authenticator. It is to be hoped that Microsoft will change its position in this regard if necessary and officially support the more secure Android OS. Alternatively, however, other authenticator apps can be linked to Microsoft accounts, which is somewhat more complicated and without Microsoft's security extensions in the Authenticator. However, this also raises whether, for example, the IT department will approve their use.

(dmk)