MegaSack DRAW - This year's winner is user - rgwb
We will be in touch
I know this is a first world problem and all that, but it winds me up.
The company I work for has just sent out an email telling us that we need to install an app on our phones to generate tokens for the work VPN.
They don’t offer to provide an alternative system, but just expect us to add apps to our personal phones because they say so.
Overreacting or a bit unreasonable?
Its a fight already lost when 90% of your colleagues just did it.
You could probably ask them to support yubikey instead of the app!
There is NO WAY I would be using my personal phone for business use, in the same way I don't use my work phone for personal stuff.
Tell them this is your personal phone:
Oh and at least with Android phones you can stick the app in a separate sandbox from personal stuff so it isnt a security risk 😀
Tell them you don't own a smartphone.
Overreacting TBH.
Depends on the need. I use a VPN app on my personal phone to I can check my diary and emails. It's for my convenience, so I do it.
Are customers and/or colleagues going to get in touch with you on your personal phone - potentially when you're not working (holidays, out of hours, sick, etc)? If so, full pass on that
Say no, at my old workplace somehow a few customers got hold of my personal mobile number. I told them in no uncertain terms that they would be ignored. Higher ups got whinged at so I asked them to pay my bill, they refused so the customers continued to be ignored.
Presumably this is so you can connect remotely and work from home? If the alternative is going into the office, what would you prefer?
What Billodie said.
We have an office mobile for stuff like that, generating OTPs and suchlike.
Also means your colleagues can still use it when you're on holiday
My predecessor had set up HMRC OTP on his personal mobile, that was fun when he left.
If its just an access key generator then stop moaning and get on with it. Its an app that generates numbers that are aligned to a similar list on the server. They dont talk to each other. The app just displays a number from a list.
Its an alternative to the little fob that displays the number.
My work offers the full work access for your mobile but you have to have security in line with the work standard. Most people dont me included but i do have the token/access key app.
I refused to do it for most things - it's my phone, that I use for my stuff. If they want me to use a phone for work stuff, then buy me a work phone and I'll turn it on when I'm working. Mostly they found a workaround (e.g. 2FA via SMS rather than an app - I don't mind receiving texts) but some stuff there's no alternative (HR wellbing support app, Microsoft Authenticator)
They now want to install a tool that lets them remotely wipe a phone they suspect is compromised / lost so a few colleagues are on the verge of uninstalling stuff like MS Teams.
If it's only generating a token and you're that concerned, can't you just install Android on your work laptop/computer etc that you're using on the VPN and use the ap to generate the token there?
2 factor authentication is an important aspect of security now, but not all staff need a paid for work phone.
Do you have BYOD policies and connect to work systems with that device (eg email or teams)?
As a company they need to secure their systems, and have an expectation that staff authenticate themselves to policy. Remembering passwords is one aspect of this, and now a token generator. If you refuse you might not have a way of authenticating onto the network.
Do you object to using two factor authentication for your personal apps? It's just a code generator. I find it annoying because for 15 years we used PIN numbers instead, which meant I didn't need to open my phone and find the text message, but now I do.
Now if my Apple Watch would flash the code it would be easier still.
I have two phones simply so I can keep one for work. Means I can keep the numbers separate also so I can switch the work one off whilst in holiday etc.
Just get a cheap Motorola or whatever and a £5 p/m sim only for work?
I have the same set up at my work, and i generally refuse to install anything work related on it, however my work differs in the fact that i have the option of a key fob that generates the code for me if needed.
In my 7 years working here i have lost 4 of those fobs and can never find it when i need it, so as an exception i have installed the token generator on my phone.
I have made to clear that i wont be installing any other apps, or emails etc to my personal phone and while my boss would like me to as it would be easier for him, theres no actual requirement for me to do so.
You can either ask them to buy you a work phone (and then you've got another phone to look after), or put up with it on yours. Your choice.
If it's just a number/token generator I'd probably just install it. This, however:
They now want to install a tool that lets them remotely wipe a phone they suspect is compromised / lost so a few colleagues are on the verge of uninstalling stuff like MS Teams.
No. I have MS Authenticator/Outlook/etc all installed on a work phone. There's no way I want anything like that on my personal phone.
Are you expecting to work from home, and thus the VPN? 2 factor auth is the rule now (or really ought to be) so you need to make that work somehow.
If it's just for 2fa then I wouldn't worry, this is only to help you log into a VPN or similar. If it's for contact or the app want control of your phone then a no.
I will use my personal phone for MS authenticator app allowing me to WFH and access work VPN, accessing work system for my payslip and booking holidays - although the last 2 are technically via a website (shortcut saved to phone desktop) that you then sign in to and uses 2FA. All of my colleagues, line managers etc know that I will not download work Teams or Outlook onto my phone - this is simply to allow me a clean break between work and personal life and is for the benefit of my mental health. Having previously spent 25 years+ in the hospitality/retail industries I was never 'away' from work - phone calls at 4am, on holiday etc etc. and it simply ground me down. If anyone in my team urgently needs to contact me they have my mobile number and can ring me and that's the agreement we have. Running joke is that if someone sets up a team WhatsApp group the first response from members is from me and is: "<insert name> has left the group" - I do not care if your next door neighbour's granny's dog's partner's cousin has just had a baby or the cat just puked on the sofa again. Its very nice and congratulations.
I'm happy with the middle-ground as I benefit as much as my work does and the boundaries are clear for all.
Fair request is for them to just buy you a cheap Android phone get anything work related like Teams / Slack / Auth apps on there. Will run fine on wifi with no SIM and cost less than having to people in a room for an hour debating the matter.
Personally I’m fine with an Auth App on personal device but draw the line at MDM / VPN.
Customers being able to contact personal phone is simply a matter for pay negotiation.
If it's just for 2FA I don't have a problem with it, and that's from someone who ditched the work phone a long time ago and don't have my personal phone number anywhere except with HR for emergencies.
It's not enrolling your device in any sort of management, they can't spy on what you're doing or wipe your device, they won't have your personal phone number to bug you out of hours. It just lets you get a code (or approve a push message) when you log in.
As said, the alternative would be to give you a hardware token or having a separate phone that you have to carry or keep charged. I'll take the app on my phone thanks.
I fretted over stuff like this pre WFH. It was all optional or work around able for me though at the time. So it was just me arguing with myself.
When work from home happened, after brief period of more fretting I just did what was needed.
That aside, do you not use Google authenticator for any other 2 factor authentication already?
This wouldn't be where I would make a stand.
Been in the news recently
https://www.cityam.com/credit-suisse-wants-access-to-staff-personal-mobiles/
Strictly limited to an authenticator app I'd have no issue (SMS 2FA isn't secure). Beyond that (publishing my personal phone number in the company directory, giving it to clients, forcing a profile on and being able to manage it remotely) I'd refuse.
I've not actually had my own mobile for over 10 years, work supply one and allow 'reasonable' personal calls so never needed my own (although something better than an iPhone 7 would be nice :p ).
Well we have the same, but it's a choice... they'll give us a phone for it... but then i need to carry 2 phones... which is daft... so the VPN stuff goes on my personal phone.
I've installed a couple of work related authentication apps on my home mobile, simply because I don't want to have to carry a 2nd phone around with me. Teams is one app I will never be installing, I hear lately they were sending out a remote wipe add-on, to ppl using it on their personnel devices... it promptly got removed from them!
[edit, hmm just remembered our social media policy] I have a 'friend' currently not allowed to use their company mobile, for app's like Outlook or teams as there all below android 8.1, and this is a security risk..
I turned down a work phone as I can't be arsed having two. I just use my personal one for work (although in reality, that just means occasionally using Outlook on it).
If they wanted remote mgmt, I'd just take the work phone option then never use it!
NB I used to use it a lot more for work when I travelled, had some £1000 phone bills over the years.
Well we have the same, but it’s a choice… they’ll give us a phone for it… but then i need to carry 2 phones… which is daft… so the VPN stuff goes on my personal phone.
Easily the most sensible reply.
As per others if it is just the token confirmation app then I would and do have that on my own phone. Most of the token systems do allow alternate verification such as SMS so a possible option.
The app is self contained and doesnt need any special permissions. Anything more than that eg their vpn email etc would be a hell no since then IS tend to want rights to monitor and wipe the phone.
this, really, sounds like it's as much for your convenience as theres. If you really don't want to for whatever reason (slippery slope, I guess - although what would happen if you lost/broke your personal phone? Can't work? Will they buy you a new one so you can? 😃), then Android emulator on work laptop is probably the way to go.If it’s just for 2FA I don’t have a problem with it
on your [I]personal[/I] phone? That's hilarious 🤣 Also no possible way that could be accomplished on an iPhone.They now want to install a tool that lets them remotely wipe a phone
Would be a firm "no" from me.
If they want you to use a phone app, they provide the phone.
Do they also put company software on your personal computer?
2FA app, so what.
But this:
They now want to install a tool that lets them remotely wipe a phone they suspect is compromised / lost so a few colleagues are on the verge of uninstalling stuff like MS Teams.
Nope, but then I don't use my own device for accessing work.
MDM is the right control for devices that can access confidential etc data, but no way would I use my own device to do it.
I’m not “worried” about it - it just annoys me that the company think they own my personal possessions…
Buying another phone would be a waste of resources, but I might look at whether I need a sim or can just use an old phone on Wi-Fi if they can’t provide an alternative.
I’ve got far less of an issue with my line manager having my mobile number, because how else can she contact me to say that the office is closed due to a COVID outbreak if I’m already on the way to work? 😉
*Put on union hat*
Short answer, tell them No.
Companies are required to provide tools and equipment (and relevant training) to allow you to do your job. It really is that simple. If they don't want to provide those tools, meaning you are unable to do your job, then that is their problem.
*Remove union hat*
It just generates an access code. Stop being so bloody precious.
I'd be ok with an authenticator token/MFA so long as it was not propriatory to the company. (we use Microsoft authenticator which I use for personal stuff anyway)
They now want to install a tool that lets them remotely wipe a phone they suspect is compromised / lost so a few colleagues are on the verge of uninstalling stuff like MS Teams.
Absolute hard no from me on that.
I did also draw a line in the sand recently on grounds of mental health and work life separation when they proposed taking our work mobiles away and porting the numbers to our personal phones ....
Not a cat's chance in hell. What will happen there is I will cease to have a mobile phone for company purposes.
It seems to have be received in the manner it was intended.
can just use an old phone on Wi-Fi if they can’t provide an alternative.
If it's Microsoft authenticator....you can . I did this while my company phone was being funny buggers
Google the app name and see if it has any functionality beyond the login stuff. Obviously make sure it is denied access to location data and personal files.
Now if my Apple Watch would flash the code it would be easier still.
No idea of the details, but the 2FA for my companies VPN works beautifully with my Apple Watch - I enter the password on my computer and then Microsoft Authenticator app flashes up a big "Approve?" button on the watch for me to hit.
I happily install work apps on my personal phone - because I do it to make my life easier. I generally leave myself signed out of Teams on the phone so I can control when I am reachable when away from the computer. My only annoyance is that company policy dictates all Microsoft apps require a 6 digit PIN each time you access them, which seems positively antiquated in the age of biometric logins.
It just generates an access code. Stop being so bloody precious.
Bit blunt, but yeah.
Massive jump to get from using Authenticator to "think they own my personal possessions…"
Do you have some existing beef with your employer OP?
I have a work phone, all authentication goes through that. As does hotspotting when on site, Spotify and Sounds in the van.
There are certain apps I have on my own phone as the phone is faster and it makes my life easier.
Some people in the company dual SIM their own phones, it does make it a hassle to see when they're working as teams always has that green tick even at night. I've been there and most work folks don't have my personal number any more.
For my sins I consult (sell) Cyber Security to Business.
This is a subject that comes up a lot for debate as you can imagine.
MFA is one of the best tools we use to combat cyber crime, it's far from full proof, but most businesses / industries either use it already, or will be very soon.
I personally don't like the idea of using users (staff members) personal phones. Firstly, they don't like it, for various reasons. For example, I personally keep all my work related apps in a folder so I don't have to look at them when I'm looking for JustEat on a Friday night or whatever - and my phone is 100% paid for by my employer.
Secondly, it's a fudge. Typically we will assume the Apple devices with current OS are secure, but that's not always the case, some people can, and do jailbreak their phones for whatever reason, some people use 1111 as their PIN or even don't use any security at all and leave their phones on their desk when they're not there. Android phones are worse (this isn't an Apple v Android argument) because they're less restrictive and you can download apps from lots of sources etc.
When we're dealing with company owned phones we can use MDM (mobile device manager) to mitigate those risks some what, but I don't think anyone would ever willingly allow MDM on their personal phone, there are lots of rules governing what can be done with MDM, but in theory they can know what apps you have, where the device is (usually with a notification on the phone) and number of contacts / photos etc.
Personally, I see this solution as a box ticking exorcize. It's more secure than not having MFA, but not as secure as it should be and it relies on a lot of goodwill from users, and I've never met a user who actually likes using MFA, it is however, cheap.
If it's just an authenticator just do it. Microsoft and Google authenticators are lightweight and unobtrusive and you'll likely start to encounter more services expecting you to use them if you haven't already.
If it's an in house app I'd want some more details about what it's doing but your phone should warn you of any questionable permissions its asking for. Alternative is carrying around a separate phone or fob for one function and that seems inconvenient for everyone.
I have rebelled when a company has tried to get me to install Teams but will only do it if they can take over admin of the phone.
I'd much rather only have one phone than carry multiples. I have no issue with ignoring work calls out of hours.
In the OP's position I'd be happy to install the no generator if it could be proven there was no spyware included.
Here's a thought Also have any of you read your it policy on use of mobile devices for business purposes ?
Ours says that (historically all company owned when this was written) mobile devices used for conduct of company business upon leaving the company should be surrendered to the company for "quarantine" for business records purposes.
Now admittedly that may have been rewritten since the new policy of allowing personal mobile devices to be used and cloud based systems..... But it would be worth finding your company's stance on such matters before leaving yourself wide open to it by having emails and teams etc on your personal mobile.
Anyone got any experience of SafeNet?
<blockquoteHere’s a thought Also have any of you read your it policy on use of mobile devices for business purposes ?
Yes of course. I'm sat here with the new upgrade phone to set up, and have the option of purchasing the old phone (8 plus). Our company allow (reasonable) personal usage on the work phone, negating the need for two phones. I'm satisfied with that.
Just for an app - over reacting I think.
Using your personal mobile number? I've made it clear (to work) that anyone (client) calling me out of hours or when on leave will have their number blocked immediately.
If it’s just for 2fa then I wouldn’t worry, this is only to help you log into a VPN or similar. If it’s for contact or the app want control of your phone then a no.
This is my view.
I actually have a work phone but have the 2fa app on my personal one for various reasons of convenience. If they wanted access and/or to be able to view or wipe stuff then they can go away.
I joined a small firm a couple of years ago who asked all staff to use their personal phones for work calls, I politely declined. The compromise solution was they paid me an extra few ££ per month to cover a cheap SIM card that I plugged into an old phone.
Safenet trusted access ?
Direct lift from their site
Simplify compliance with real-time auditing of who is accessing which app and how.
Yeah I'm out on that going on my personal phone.
Our company allow (reasonable) personal usage on the work phone, negating the need for two phones. I’m satisfied with that.
Which is the sensible option to achieve what our lot are trying to achieve which is giving the guys the options to carry one phone -and they have done for years.
Now they are trying to force not only the one phone thing (means generally they see you as contactable 24/7 or certainly more than if you have two phones) but also the burden of cost of the equipment falls on you too in our mobs approach.
If they want me to use a phone for work stuff, then buy me a work phone and I’ll turn it on when I’m working.
This.
Although I may be particularly cautious, because early on in my career as a lawyer (early 00's and pre-smartphone) my then boss asked me to attend a police station interview and use my personal mobile with clients.
I get a call just after midnight from an unknown number - it's the client who was remanded to prison, and who smuggled his phone into his cell via means I don't even want to think about, save to say Nokias back then were very small and streamlined.
Looking at potentially serious consequences as a result I made clear to that employer in no uncertain terms if they wanted me to be available for work calls they would need to pay for a work phone in future.
There's also the issue nowadays with personal smartphones about data processing and retention - who is the data controller and where is the data held? We are explicitly forbidden from using personal phones for work purposes, other than in an emergency.
Of you have your personal phone on the desk because you are using that app and accidentally knock it off and the glass front and back shatter as it hits the floor, who is paying for the replacement?
Safenet trusted access ?
Direct lift from their site
Simplify compliance with real-time auditing of who is accessing which app and how.
Yeah I’m out on that going on my personal phone.
I think you have misunderstood their product.
It's not snooping at what apps you are using on your phone, it allows companies to monitor who is connecting to the company "apps" (e.g. webmail, VPN, etc) and from where. The app on your phone is just a code generator.
Also, I can't be bothered to go back and find it to quote, but whoever said a while back that remote wipe isn't possible on an iPhone has been drinking too much apple sauce. Its called MDM and works on all modern phones.
I think most people in this thread have got the balance right - an app for generating codes on a personal phone, with no work calls etc? Fine... its not really worth the company investing in buying you a mobile phone just for those codes (yes other solutions are available like RSA fobs but they are incredibly expensive for what they are and people seem to have a knack for losing them)
Any more than that - if you have your work email, teams etc on your personal phone then your company *should* be able to remote wipe the phone (If you have it setup as an exchange connection, they have this ability!) and that is where a conversation should be happening, and probably a work phone provided.
They now want to install a tool that lets them remotely wipe a phone they suspect is compromised / lost so a few colleagues are on the verge of uninstalling stuff like MS Teams.
This is pretty normal for any business with company information you possibly wouldn't want accessed if the phone was lost/stolen etc.
In my time in IT with my current financial services company where any phone/device has to be enrolled and technically is wipeable by the company, if it is allowed to access company resources on it - I've never known it happen for a personal mobile.
However if you don't want to use your own device in that way, a company device should be provided. MFA/VPN authorisation doesn't come under that though. And honestly, if someone doesn't already have MFA set up for multiple personal accounts already I'd telling them to set it up.
I think most people in this thread have got the balance right – an app for generating codes on a personal phone, with no work calls etc? Fine… its not really worth the company investing in buying you a mobile phone just for those codes (yes other solutions are available like RSA fobs but they are incredibly expensive for what they are and people seem to have a knack for losing them)
Any more than that – if you have your work email, teams etc on your personal phone then your company *should* be able to remote wipe the phone (If you have it setup as an exchange connection, they have this ability!) and that is where a conversation should be happening, and probably a work phone provided.
Well summed up. I choose to have my personal phone enrolled because it makes my life easier for checking my rota/accessing MS teams when I'm at a different site or away from my desk. I don't NEED to access work stuff on my phone, I choose to. If I was working an on call rota or needed access to emails on a phone then I'd get a phone request put in.
tell em to do one. i would (and did) flatly refuse to emails and other stuff on private equipment.
obviously - now i own my own business i would encourage it of any of my employees... haha!
xora
Full Member
Oh and at least with Android phones you can stick the app in a separate sandbox from personal stuff so it isnt a security risk 😀
eh, come again??
We had this at work, caused a bit of frustration with some, but it was a case of either take it, or dont have a laptop and you cant access you work emails.. I've not had a pesonal phone for about 20 years, i appreciate there are various complications with this, but my work means people call me all the time and it's frnakly give and take..
Which is the sensible option to achieve what our lot are trying to achieve which is giving the guys the options to carry one phone -and they have done for years.
I should also add that I'm not client facing and nobody from work ever calls! We use teams for calls at work. If I was routinely facing outside and getting lots of work calls out of hours, I'd use two phones. Work stuff is ringfenced on the phone by MS. Personal stuff (like email, WhatsApp, etc) is not. Still annoying that our VPN sends an SMS rather than the code on my watch (I just tested it!)
I used to have a physical VPN token which was a pain due to its size and ability to disappear, the battery didnt last long and ordering and returning the old one was a faff.
I had to download MS authenticator to use the government portal to claim child benefit, was then happy to use it to as a VPN for my work.
It’s not snooping at what apps you are using on your phone, it allows companies to monitor who is connecting to the company “apps” (e.g. webmail, VPN, etc) and from where
Depends in what form the 'and from where' information is available to the employer. Is the app active in the background or just when log-in is attempted?
RE Credit Suisse access to personal phones (or any bank really).
if used for work communication with clients or colleagues, according to reports.
This isn't unusual - especially if the positions are FCA regulated as all client communications are supposed to be monitored. If a client texts your personal phone, you're supposed to reply via work channels, either email or monitored phone line.
Our BYOD policy is pretty widely worded to basically allow them full access to your personal phone, so I'll be keeping my work phone...
They now want to install a tool that lets them remotely wipe a phone they suspect is compromised / lost so a few colleagues are on the verge of uninstalling stuff like MS Teams.
The ethos / point of 365 is to allow users flexibility, but it should be that, flexible. It shouldn't be a way of employers making you available outside of work to suit them, in top of them having the benefit of your mobile device for free.
During my little rant above I forgot to mention what I would allow. I would install either Google or MS Authenticator on a personal phone. It 'belongs' to you, as in you can sync it with work stuff, but also private stuff. I wouldn't install something my employer gave to me, unless I was very sure it was benign. I certainly wouldn't install some bespoke company owned software, not a chance.
Again, unless it suited me, I wouldn't install 365 tools on my personal phone either, and as some people have already mentioned. Whilst this is great for employers to 'allow' their staff to work out of hours, knowing a lot will 'just because', the problem is they'll require extra security tools to be installed to manage cyber risk and that's way past fair and reasonable to me. If I was asked to allow MDM to manage my personal device, at the risk of it being wiped if I'm deemed to be compromised, that's a very hard no from me. If nothing else, you just know some HR bod is going to wipe and block YOUR phone if you end up leaving that job.
If your employer is going to allow you access to their data from a mobile device, it should be their device. They shouldn't be installing MDM on anyone's personal device, it opens them up to all sorts of legal problems if nothing else. Frankly, when 365 (I know their are other options but we're MS partners) offered everyone the opportunity to access their company tools / data from any device, anywhere, it seemed great, but it didn't take long to realise how much of a security nightmare it is. We no longer allow it.
If nothing else, you just know some HR bod is going to wipe and block YOUR phone if you end up leaving that job.
I had the other side of it, I added work's Exchange server to my personal phone via iOS's built in Mail app and after 10+ years I disconected it and all my contacts vanished. Turned out every contact I'd added after adding Exchange has been added to the Exchange account and not my personal Email account, so my Contacts was pretty much cleaned out.
Luckily I still have access to Exchange so can manually add them back in. Now I just have the Outlook App installed which keeps everything in it's own walled garden and doesn't use any built in iOS apps like Mail or Contacts etc.
We just get a 4 digit PIN texted (actually 3 in the same text) to us (my own phone) for use with Cisco on our laptops to logon to our severs.
So I use my own phone, but all it is is a 4 digit number Via SMS, no apps involved.
tell em to do one. i would (and did) flatly refuse to emails and other stuff on private equipment.
Thing is from the op it sounds like this is not emails or messages, just a 2fa authentication app. Very very different to actually having any communication.
I work in a college and they removed all the desk phones to get everyone to use Teams instead. Problem was, no one was given a headset to use and the dial pad in Teams wasn't available. This went on for a couple of months and we kept being asked to phone parents of students for various reasons. Some staff used the personal phones but a lot of us, including me, refused to use our personal phones.
I'm on a sim only contract with limited calls and data so I'm not using it for work unless they pay me in advance. They wouldn't, so I didn't.
That would be a no for me.
Not for any technical reason but because of the way I mentally "shut work out" after finishing up for the day. Having anything work related on a non work device would interfere with that.
We don't have desktop phones in the office anymore they've switched to Jabba with headsets so we can use our office phone numbers at home and dial from our laptops. It's actually been a really good change.
Overreacting
Do as I did when my boss told me much the same. I pointed out that I don't use a mobile. It wasn't in my terms of employment so tough. If she wants to give me one then fine. It will be switched o a t 9am and off when I stop work.
Just refuse or if thats hard for you answer it to yor convienience. If there are complaints say that you don't use your phone,at home, on the bus, bog, job, driving or what ever.
Make life even easier and chuck the bloody thing away. Virtually all mobile use is not important anyway.
Some interesting overreactions here. The way I see it there are three sets of circumstances:
1. Field employee. Needs VPN access. Should be given work mobile.
2. Office employee wanting to WFH. Should just install an app that gives them a code to login to VPN - it’s there to make your life easier after all. You could just go to the office instead.
3. Office employee wanting to access emails, teams etc so they don’t have to sit in front of their laptop when they WFH. Should suck it up and install the monitoring stuff on their phone. It’s not like anyone is actually checking up on what you do and it’s for your convenience.
OP sounds like case 2.
If you need it because of mandated work from home during covid, then it’s probably unreasonable to expect your employer to buy everyone a mobile. Considering what the app does, I don’t get why there would be any problem.
For people saying they’d rather get a text, this way you have to give your number to someone. Surely an app is better?
So OP does your company not issue you a work phone, because that seems to be the real issue here. Whether the 2FA is an invasion of privacy is irrelevant if the company gives you a work phone and you choose to use it.
For people saying they’d rather get a text, this way you have to give your number to someone. Surely an app is better?
Tbh I'd rather someone had access to my number (something with which they can phone me and text me ) than install software that gives them access to my phone....
MFA / password generator is 'unmanaged' - that means you choose the permissions, you delete the app etc... The only thing the organisation does is 'seed' the app to make it uniquely linked to you otherwise all the appstore downloads are identical. There is no risk from this other than the risk that comes from the app itself. Personally I believe the convenience fully outweighs the risk (you are over-reacting). Union style responses IMO are bollocks unless you want to carry an extra 'thing' around, usually a physical token of some kind, but you should have that choice.
Mobile Device Management is an app that gives management control for the device to the organisation issuing the request. This is bad unless they own the phone in which case it's no different to when they give you a laptop. It can do things like track location, wipe data etc... i.e. all the bad stuff you don't want within a hundred miles of a personal device.
There is also a middle ground called Mobile Application Management where once 'provisioned' usually by you logging into a work resource from the app, the app itself becomes controlled by the organisation such that they can wipe data from the app if you leave or transgress. Examples include things like the MS Outlook app. Again, no risk other than you giving the app too many permissions but at this point your personal device is getting more 'worky' as it does more work things like communications and collaboration (e.g. Teams).
@trail_rat these MFA apps in no way give anyone control of the phone. When you log into the thing that requires MFA the app server generates a push notification on the phone for you to accept, or you enter a code shown on the app. The only control the company have is being able to remove the phone from their MFA system, thus stopping it from being able to get the codes. Nothing nefarious.
Not for any technical reason but because of the way I mentally “shut work out” after finishing up for the day. Having anything work related on a non work device would interfere with that.
It doesnt though when used just for multi factor authentication. You only get the notification if you have requested it eg by logging onto the vpn in the morning at which point you say yes and forget about it for the rest of the day (unless you also have the fun of needing to go onto servers which might need it every time).
Admittedly thinking on it there would be a certain pucker factor if I did get an out of hours request since it would mean someone has grabbed my username/password so would have to contact the security helpline to get it locked down.
I am someone who errs on the side of keeping work stuff well away from my own but have never bothered transferring my mfa app from my personal phone to the work one I got several months after it was rolled out. Just set the latter up for backup texts since then I can leave it off most of the time.