That's a bad comparison, as you're comparing a full authentication process against just one step: with Office 365 (and SMS verification for DigiD) you additionally need to provide a username and password, which you don't need to do with the app.
I think the only part that can reasonably be simplified without compromising security is to use a push notification instead of having to scan the QR-code.
> That's a bad comparison, as you're comparing a full authentication process against just one step: with Office 365 (and SMS verification for DigiD) you additionally need to provide a username and password, which you don't need to do with the app.
I hadn't even noticed that app login doesn't require username and password. With a password manager that doesn't add a lot of friction. Even when accounting for that extra step, I still find Office 365 and SMS verification much easier.
What's the purpose of the code you're entering from the app? Isn't that a bit superfluous/couldn't the app open a communications channel with the server via the QR code you scan and provide that itself?
Then the app relies purely on the ssl cert of the server, for mitm mitigation. This way, the qr can contain a signed reply to the code, which adds a layer.
Wait, I don't get it. I understand that the server is signing a challenge with a key presumably known to the client. But why can't the app submit the challenge programmatically upon scanning a QR code? It would still verify the signature!
I think the only part that can reasonably be simplified without compromising security is to use a push notification instead of having to scan the QR-code.