For example, are you forced to use weak encryption or complicated configuration just because you are told to and not because it really works in practice?
I’m forced to use Google or Microsoft email services…
Rotate passwords every 90 days.
I once had to change password every 90 days… but the password was 8 characters, no more no less, with special (only few special characters were accepted) and upper characters.
Beside, I got to use the Microsoft Authenticator which sends data without consent about social media account used on the device. Normally, it should be possible to use a different app but it seems like it is not possible in my case (at least, I haven’t been able to make anything else work).
Write documentation…
Ooof. This is a good habit to get into, even if you hate doing it. It really does work.
We are implementing Microsoft Authenticator at work.
Do you have more information on this? About what data it grabs?
Aegis should normally work for users as an alternative to Authenticator. In my case, the Microsoft Authenticator popup is enforced, I cannot enter the numbers.
Another alternative is to have a mobile device only for this kind of stuff (Google store apps) and have a rooted device with a privacy wise image.