Forum menu
I know this is a first world problem and all that, but it winds me up.
The company I work for has just sent out an email telling us that we need to install an app on our phones to generate tokens for the work VPN.
They don’t offer to provide an alternative system, but just expect us to add apps to our personal phones because they say so.
Overreacting or a bit unreasonable?
Its a fight already lost when 90% of your colleagues just did it.
You could probably ask them to support yubikey instead of the app!
Oh and at least with Android phones you can stick the app in a separate sandbox from personal stuff so it isnt a security risk 😀
Tell them you don't own a smartphone.
Overreacting TBH.
Depends on the need. I use a VPN app on my personal phone to I can check my diary and emails. It's for my convenience, so I do it.
Are customers and/or colleagues going to get in touch with you on your personal phone - potentially when you're not working (holidays, out of hours, sick, etc)? If so, full pass on that
Say no, at my old workplace somehow a few customers got hold of my personal mobile number. I told them in no uncertain terms that they would be ignored. Higher ups got whinged at so I asked them to pay my bill, they refused so the customers continued to be ignored.
Presumably this is so you can connect remotely and work from home? If the alternative is going into the office, what would you prefer?
What Billodie said.
We have an office mobile for stuff like that, generating OTPs and suchlike.
Also means your colleagues can still use it when you're on holiday
My predecessor had set up HMRC OTP on his personal mobile, that was fun when he left.
If its just an access key generator then stop moaning and get on with it. Its an app that generates numbers that are aligned to a similar list on the server. They dont talk to each other. The app just displays a number from a list.
Its an alternative to the little fob that displays the number.
My work offers the full work access for your mobile but you have to have security in line with the work standard. Most people dont me included but i do have the token/access key app.
I refused to do it for most things - it's my phone, that I use for my stuff. If they want me to use a phone for work stuff, then buy me a work phone and I'll turn it on when I'm working. Mostly they found a workaround (e.g. 2FA via SMS rather than an app - I don't mind receiving texts) but some stuff there's no alternative (HR wellbing support app, Microsoft Authenticator)
They now want to install a tool that lets them remotely wipe a phone they suspect is compromised / lost so a few colleagues are on the verge of uninstalling stuff like MS Teams.
If it's only generating a token and you're that concerned, can't you just install Android on your work laptop/computer etc that you're using on the VPN and use the ap to generate the token there?
2 factor authentication is an important aspect of security now, but not all staff need a paid for work phone.
Do you have BYOD policies and connect to work systems with that device (eg email or teams)?
As a company they need to secure their systems, and have an expectation that staff authenticate themselves to policy. Remembering passwords is one aspect of this, and now a token generator. If you refuse you might not have a way of authenticating onto the network.
Do you object to using two factor authentication for your personal apps? It's just a code generator. I find it annoying because for 15 years we used PIN numbers instead, which meant I didn't need to open my phone and find the text message, but now I do.
Now if my Apple Watch would flash the code it would be easier still.
I have two phones simply so I can keep one for work. Means I can keep the numbers separate also so I can switch the work one off whilst in holiday etc.
Just get a cheap Motorola or whatever and a £5 p/m sim only for work?
I have the same set up at my work, and i generally refuse to install anything work related on it, however my work differs in the fact that i have the option of a key fob that generates the code for me if needed.
In my 7 years working here i have lost 4 of those fobs and can never find it when i need it, so as an exception i have installed the token generator on my phone.
I have made to clear that i wont be installing any other apps, or emails etc to my personal phone and while my boss would like me to as it would be easier for him, theres no actual requirement for me to do so.
You can either ask them to buy you a work phone (and then you've got another phone to look after), or put up with it on yours. Your choice.
If it's just a number/token generator I'd probably just install it. This, however:
They now want to install a tool that lets them remotely wipe a phone they suspect is compromised / lost so a few colleagues are on the verge of uninstalling stuff like MS Teams.
No. I have MS Authenticator/Outlook/etc all installed on a work phone. There's no way I want anything like that on my personal phone.
Are you expecting to work from home, and thus the VPN? 2 factor auth is the rule now (or really ought to be) so you need to make that work somehow.
If it's just for 2fa then I wouldn't worry, this is only to help you log into a VPN or similar. If it's for contact or the app want control of your phone then a no.
I will use my personal phone for MS authenticator app allowing me to WFH and access work VPN, accessing work system for my payslip and booking holidays - although the last 2 are technically via a website (shortcut saved to phone desktop) that you then sign in to and uses 2FA. All of my colleagues, line managers etc know that I will not download work Teams or Outlook onto my phone - this is simply to allow me a clean break between work and personal life and is for the benefit of my mental health. Having previously spent 25 years+ in the hospitality/retail industries I was never 'away' from work - phone calls at 4am, on holiday etc etc. and it simply ground me down. If anyone in my team urgently needs to contact me they have my mobile number and can ring me and that's the agreement we have. Running joke is that if someone sets up a team WhatsApp group the first response from members is from me and is: "<insert name> has left the group" - I do not care if your next door neighbour's granny's dog's partner's cousin has just had a baby or the cat just puked on the sofa again. Its very nice and congratulations.
I'm happy with the middle-ground as I benefit as much as my work does and the boundaries are clear for all.
Fair request is for them to just buy you a cheap Android phone get anything work related like Teams / Slack / Auth apps on there. Will run fine on wifi with no SIM and cost less than having to people in a room for an hour debating the matter.
Personally I’m fine with an Auth App on personal device but draw the line at MDM / VPN.
Customers being able to contact personal phone is simply a matter for pay negotiation.
If it's just for 2FA I don't have a problem with it, and that's from someone who ditched the work phone a long time ago and don't have my personal phone number anywhere except with HR for emergencies.
It's not enrolling your device in any sort of management, they can't spy on what you're doing or wipe your device, they won't have your personal phone number to bug you out of hours. It just lets you get a code (or approve a push message) when you log in.
As said, the alternative would be to give you a hardware token or having a separate phone that you have to carry or keep charged. I'll take the app on my phone thanks.
I fretted over stuff like this pre WFH. It was all optional or work around able for me though at the time. So it was just me arguing with myself.
When work from home happened, after brief period of more fretting I just did what was needed.
That aside, do you not use Google authenticator for any other 2 factor authentication already?
This wouldn't be where I would make a stand.
CITYAM.COM Strictly limited to an authenticator app I'd have no issue (SMS 2FA isn't secure). Beyond that (publishing my personal phone number in the company directory, giving it to clients, forcing a profile on and being able to manage it remotely) I'd refuse.
I've not actually had my own mobile for over 10 years, work supply one and allow 'reasonable' personal calls so never needed my own (although something better than an iPhone 7 would be nice :p ).
Well we have the same, but it's a choice... they'll give us a phone for it... but then i need to carry 2 phones... which is daft... so the VPN stuff goes on my personal phone.
I've installed a couple of work related authentication apps on my home mobile, simply because I don't want to have to carry a 2nd phone around with me. Teams is one app I will never be installing, I hear lately they were sending out a remote wipe add-on, to ppl using it on their personnel devices... it promptly got removed from them!
[edit, hmm just remembered our social media policy] I have a 'friend' currently not allowed to use their company mobile, for app's like Outlook or teams as there all below android 8.1, and this is a security risk..
I turned down a work phone as I can't be arsed having two. I just use my personal one for work (although in reality, that just means occasionally using Outlook on it).
If they wanted remote mgmt, I'd just take the work phone option then never use it!
NB I used to use it a lot more for work when I travelled, had some £1000 phone bills over the years.
Well we have the same, but it’s a choice… they’ll give us a phone for it… but then i need to carry 2 phones… which is daft… so the VPN stuff goes on my personal phone.
Easily the most sensible reply.
As per others if it is just the token confirmation app then I would and do have that on my own phone. Most of the token systems do allow alternate verification such as SMS so a possible option.
The app is self contained and doesnt need any special permissions. Anything more than that eg their vpn email etc would be a hell no since then IS tend to want rights to monitor and wipe the phone.
this, really, sounds like it's as much for your convenience as theres. If you really don't want to for whatever reason (slippery slope, I guess - although what would happen if you lost/broke your personal phone? Can't work? Will they buy you a new one so you can? 😃), then Android emulator on work laptop is probably the way to go.If it’s just for 2FA I don’t have a problem with it
on your [I]personal[/I] phone? That's hilarious 🤣 Also no possible way that could be accomplished on an iPhone.They now want to install a tool that lets them remotely wipe a phone
Would be a firm "no" from me.
If they want you to use a phone app, they provide the phone.
Do they also put company software on your personal computer?
2FA app, so what.
But this:
They now want to install a tool that lets them remotely wipe a phone they suspect is compromised / lost so a few colleagues are on the verge of uninstalling stuff like MS Teams.
Nope, but then I don't use my own device for accessing work.
MDM is the right control for devices that can access confidential etc data, but no way would I use my own device to do it.
I’m not “worried” about it - it just annoys me that the company think they own my personal possessions…
Buying another phone would be a waste of resources, but I might look at whether I need a sim or can just use an old phone on Wi-Fi if they can’t provide an alternative.
I’ve got far less of an issue with my line manager having my mobile number, because how else can she contact me to say that the office is closed due to a COVID outbreak if I’m already on the way to work? 😉
*Put on union hat*
Short answer, tell them No.
Companies are required to provide tools and equipment (and relevant training) to allow you to do your job. It really is that simple. If they don't want to provide those tools, meaning you are unable to do your job, then that is their problem.
*Remove union hat*
It just generates an access code. Stop being so bloody precious.
I'd be ok with an authenticator token/MFA so long as it was not propriatory to the company. (we use Microsoft authenticator which I use for personal stuff anyway)
They now want to install a tool that lets them remotely wipe a phone they suspect is compromised / lost so a few colleagues are on the verge of uninstalling stuff like MS Teams.
Absolute hard no from me on that.
I did also draw a line in the sand recently on grounds of mental health and work life separation when they proposed taking our work mobiles away and porting the numbers to our personal phones ....
Not a cat's chance in hell. What will happen there is I will cease to have a mobile phone for company purposes.
It seems to have be received in the manner it was intended.
can just use an old phone on Wi-Fi if they can’t provide an alternative.
If it's Microsoft authenticator....you can . I did this while my company phone was being funny buggers
Google the app name and see if it has any functionality beyond the login stuff. Obviously make sure it is denied access to location data and personal files.
Now if my Apple Watch would flash the code it would be easier still.
No idea of the details, but the 2FA for my companies VPN works beautifully with my Apple Watch - I enter the password on my computer and then Microsoft Authenticator app flashes up a big "Approve?" button on the watch for me to hit.
I happily install work apps on my personal phone - because I do it to make my life easier. I generally leave myself signed out of Teams on the phone so I can control when I am reachable when away from the computer. My only annoyance is that company policy dictates all Microsoft apps require a 6 digit PIN each time you access them, which seems positively antiquated in the age of biometric logins.
It just generates an access code. Stop being so bloody precious.
Bit blunt, but yeah.
Massive jump to get from using Authenticator to "think they own my personal possessions…"
Do you have some existing beef with your employer OP?
I have a work phone, all authentication goes through that. As does hotspotting when on site, Spotify and Sounds in the van.
There are certain apps I have on my own phone as the phone is faster and it makes my life easier.
Some people in the company dual SIM their own phones, it does make it a hassle to see when they're working as teams always has that green tick even at night. I've been there and most work folks don't have my personal number any more.