Forum menu
For my sins I consult (sell) Cyber Security to Business.
This is a subject that comes up a lot for debate as you can imagine.
MFA is one of the best tools we use to combat cyber crime, it's far from full proof, but most businesses / industries either use it already, or will be very soon.
I personally don't like the idea of using users (staff members) personal phones. Firstly, they don't like it, for various reasons. For example, I personally keep all my work related apps in a folder so I don't have to look at them when I'm looking for JustEat on a Friday night or whatever - and my phone is 100% paid for by my employer.
Secondly, it's a fudge. Typically we will assume the Apple devices with current OS are secure, but that's not always the case, some people can, and do jailbreak their phones for whatever reason, some people use 1111 as their PIN or even don't use any security at all and leave their phones on their desk when they're not there. Android phones are worse (this isn't an Apple v Android argument) because they're less restrictive and you can download apps from lots of sources etc.
When we're dealing with company owned phones we can use MDM (mobile device manager) to mitigate those risks some what, but I don't think anyone would ever willingly allow MDM on their personal phone, there are lots of rules governing what can be done with MDM, but in theory they can know what apps you have, where the device is (usually with a notification on the phone) and number of contacts / photos etc.
Personally, I see this solution as a box ticking exorcize. It's more secure than not having MFA, but not as secure as it should be and it relies on a lot of goodwill from users, and I've never met a user who actually likes using MFA, it is however, cheap.
If it's just an authenticator just do it. Microsoft and Google authenticators are lightweight and unobtrusive and you'll likely start to encounter more services expecting you to use them if you haven't already.
If it's an in house app I'd want some more details about what it's doing but your phone should warn you of any questionable permissions its asking for. Alternative is carrying around a separate phone or fob for one function and that seems inconvenient for everyone.
I have rebelled when a company has tried to get me to install Teams but will only do it if they can take over admin of the phone.
I'd much rather only have one phone than carry multiples. I have no issue with ignoring work calls out of hours.
In the OP's position I'd be happy to install the no generator if it could be proven there was no spyware included.
Here's a thought Also have any of you read your it policy on use of mobile devices for business purposes ?
Ours says that (historically all company owned when this was written) mobile devices used for conduct of company business upon leaving the company should be surrendered to the company for "quarantine" for business records purposes.
Now admittedly that may have been rewritten since the new policy of allowing personal mobile devices to be used and cloud based systems..... But it would be worth finding your company's stance on such matters before leaving yourself wide open to it by having emails and teams etc on your personal mobile.
Anyone got any experience of SafeNet?
<blockquoteHere’s a thought Also have any of you read your it policy on use of mobile devices for business purposes ?
Yes of course. I'm sat here with the new upgrade phone to set up, and have the option of purchasing the old phone (8 plus). Our company allow (reasonable) personal usage on the work phone, negating the need for two phones. I'm satisfied with that.
Just for an app - over reacting I think.
Using your personal mobile number? I've made it clear (to work) that anyone (client) calling me out of hours or when on leave will have their number blocked immediately.
If it’s just for 2fa then I wouldn’t worry, this is only to help you log into a VPN or similar. If it’s for contact or the app want control of your phone then a no.
This is my view.
I actually have a work phone but have the 2fa app on my personal one for various reasons of convenience. If they wanted access and/or to be able to view or wipe stuff then they can go away.
I joined a small firm a couple of years ago who asked all staff to use their personal phones for work calls, I politely declined. The compromise solution was they paid me an extra few ££ per month to cover a cheap SIM card that I plugged into an old phone.
Safenet trusted access ?
Direct lift from their site
Simplify compliance with real-time auditing of who is accessing which app and how.
Yeah I'm out on that going on my personal phone.
Our company allow (reasonable) personal usage on the work phone, negating the need for two phones. I’m satisfied with that.
Which is the sensible option to achieve what our lot are trying to achieve which is giving the guys the options to carry one phone -and they have done for years.
Now they are trying to force not only the one phone thing (means generally they see you as contactable 24/7 or certainly more than if you have two phones) but also the burden of cost of the equipment falls on you too in our mobs approach.
If they want me to use a phone for work stuff, then buy me a work phone and I’ll turn it on when I’m working.
This.
Although I may be particularly cautious, because early on in my career as a lawyer (early 00's and pre-smartphone) my then boss asked me to attend a police station interview and use my personal mobile with clients.
I get a call just after midnight from an unknown number - it's the client who was remanded to prison, and who smuggled his phone into his cell via means I don't even want to think about, save to say Nokias back then were very small and streamlined.
Looking at potentially serious consequences as a result I made clear to that employer in no uncertain terms if they wanted me to be available for work calls they would need to pay for a work phone in future.
There's also the issue nowadays with personal smartphones about data processing and retention - who is the data controller and where is the data held? We are explicitly forbidden from using personal phones for work purposes, other than in an emergency.
Of you have your personal phone on the desk because you are using that app and accidentally knock it off and the glass front and back shatter as it hits the floor, who is paying for the replacement?
Safenet trusted access ?
Direct lift from their site
Simplify compliance with real-time auditing of who is accessing which app and how.
Yeah I’m out on that going on my personal phone.
I think you have misunderstood their product.
It's not snooping at what apps you are using on your phone, it allows companies to monitor who is connecting to the company "apps" (e.g. webmail, VPN, etc) and from where. The app on your phone is just a code generator.
Also, I can't be bothered to go back and find it to quote, but whoever said a while back that remote wipe isn't possible on an iPhone has been drinking too much apple sauce. Its called MDM and works on all modern phones.
I think most people in this thread have got the balance right - an app for generating codes on a personal phone, with no work calls etc? Fine... its not really worth the company investing in buying you a mobile phone just for those codes (yes other solutions are available like RSA fobs but they are incredibly expensive for what they are and people seem to have a knack for losing them)
Any more than that - if you have your work email, teams etc on your personal phone then your company *should* be able to remote wipe the phone (If you have it setup as an exchange connection, they have this ability!) and that is where a conversation should be happening, and probably a work phone provided.
They now want to install a tool that lets them remotely wipe a phone they suspect is compromised / lost so a few colleagues are on the verge of uninstalling stuff like MS Teams.
This is pretty normal for any business with company information you possibly wouldn't want accessed if the phone was lost/stolen etc.
In my time in IT with my current financial services company where any phone/device has to be enrolled and technically is wipeable by the company, if it is allowed to access company resources on it - I've never known it happen for a personal mobile.
However if you don't want to use your own device in that way, a company device should be provided. MFA/VPN authorisation doesn't come under that though. And honestly, if someone doesn't already have MFA set up for multiple personal accounts already I'd telling them to set it up.
I think most people in this thread have got the balance right – an app for generating codes on a personal phone, with no work calls etc? Fine… its not really worth the company investing in buying you a mobile phone just for those codes (yes other solutions are available like RSA fobs but they are incredibly expensive for what they are and people seem to have a knack for losing them)
Any more than that – if you have your work email, teams etc on your personal phone then your company *should* be able to remote wipe the phone (If you have it setup as an exchange connection, they have this ability!) and that is where a conversation should be happening, and probably a work phone provided.
Well summed up. I choose to have my personal phone enrolled because it makes my life easier for checking my rota/accessing MS teams when I'm at a different site or away from my desk. I don't NEED to access work stuff on my phone, I choose to. If I was working an on call rota or needed access to emails on a phone then I'd get a phone request put in.
tell em to do one. i would (and did) flatly refuse to emails and other stuff on private equipment.
obviously - now i own my own business i would encourage it of any of my employees... haha!
xora
Full Member
Oh and at least with Android phones you can stick the app in a separate sandbox from personal stuff so it isnt a security risk 😀
eh, come again??
We had this at work, caused a bit of frustration with some, but it was a case of either take it, or dont have a laptop and you cant access you work emails.. I've not had a pesonal phone for about 20 years, i appreciate there are various complications with this, but my work means people call me all the time and it's frnakly give and take..
Which is the sensible option to achieve what our lot are trying to achieve which is giving the guys the options to carry one phone -and they have done for years.
I should also add that I'm not client facing and nobody from work ever calls! We use teams for calls at work. If I was routinely facing outside and getting lots of work calls out of hours, I'd use two phones. Work stuff is ringfenced on the phone by MS. Personal stuff (like email, WhatsApp, etc) is not. Still annoying that our VPN sends an SMS rather than the code on my watch (I just tested it!)
I used to have a physical VPN token which was a pain due to its size and ability to disappear, the battery didnt last long and ordering and returning the old one was a faff.
I had to download MS authenticator to use the government portal to claim child benefit, was then happy to use it to as a VPN for my work.
It’s not snooping at what apps you are using on your phone, it allows companies to monitor who is connecting to the company “apps” (e.g. webmail, VPN, etc) and from where
Depends in what form the 'and from where' information is available to the employer. Is the app active in the background or just when log-in is attempted?
RE Credit Suisse access to personal phones (or any bank really).
if used for work communication with clients or colleagues, according to reports.
This isn't unusual - especially if the positions are FCA regulated as all client communications are supposed to be monitored. If a client texts your personal phone, you're supposed to reply via work channels, either email or monitored phone line.
Our BYOD policy is pretty widely worded to basically allow them full access to your personal phone, so I'll be keeping my work phone...
They now want to install a tool that lets them remotely wipe a phone they suspect is compromised / lost so a few colleagues are on the verge of uninstalling stuff like MS Teams.
The ethos / point of 365 is to allow users flexibility, but it should be that, flexible. It shouldn't be a way of employers making you available outside of work to suit them, in top of them having the benefit of your mobile device for free.
During my little rant above I forgot to mention what I would allow. I would install either Google or MS Authenticator on a personal phone. It 'belongs' to you, as in you can sync it with work stuff, but also private stuff. I wouldn't install something my employer gave to me, unless I was very sure it was benign. I certainly wouldn't install some bespoke company owned software, not a chance.
Again, unless it suited me, I wouldn't install 365 tools on my personal phone either, and as some people have already mentioned. Whilst this is great for employers to 'allow' their staff to work out of hours, knowing a lot will 'just because', the problem is they'll require extra security tools to be installed to manage cyber risk and that's way past fair and reasonable to me. If I was asked to allow MDM to manage my personal device, at the risk of it being wiped if I'm deemed to be compromised, that's a very hard no from me. If nothing else, you just know some HR bod is going to wipe and block YOUR phone if you end up leaving that job.
If your employer is going to allow you access to their data from a mobile device, it should be their device. They shouldn't be installing MDM on anyone's personal device, it opens them up to all sorts of legal problems if nothing else. Frankly, when 365 (I know their are other options but we're MS partners) offered everyone the opportunity to access their company tools / data from any device, anywhere, it seemed great, but it didn't take long to realise how much of a security nightmare it is. We no longer allow it.
If nothing else, you just know some HR bod is going to wipe and block YOUR phone if you end up leaving that job.
I had the other side of it, I added work's Exchange server to my personal phone via iOS's built in Mail app and after 10+ years I disconected it and all my contacts vanished. Turned out every contact I'd added after adding Exchange has been added to the Exchange account and not my personal Email account, so my Contacts was pretty much cleaned out.
Luckily I still have access to Exchange so can manually add them back in. Now I just have the Outlook App installed which keeps everything in it's own walled garden and doesn't use any built in iOS apps like Mail or Contacts etc.
We just get a 4 digit PIN texted (actually 3 in the same text) to us (my own phone) for use with Cisco on our laptops to logon to our severs.
So I use my own phone, but all it is is a 4 digit number Via SMS, no apps involved.
tell em to do one. i would (and did) flatly refuse to emails and other stuff on private equipment.
Thing is from the op it sounds like this is not emails or messages, just a 2fa authentication app. Very very different to actually having any communication.
I work in a college and they removed all the desk phones to get everyone to use Teams instead. Problem was, no one was given a headset to use and the dial pad in Teams wasn't available. This went on for a couple of months and we kept being asked to phone parents of students for various reasons. Some staff used the personal phones but a lot of us, including me, refused to use our personal phones.
I'm on a sim only contract with limited calls and data so I'm not using it for work unless they pay me in advance. They wouldn't, so I didn't.
That would be a no for me.
Not for any technical reason but because of the way I mentally "shut work out" after finishing up for the day. Having anything work related on a non work device would interfere with that.
We don't have desktop phones in the office anymore they've switched to Jabba with headsets so we can use our office phone numbers at home and dial from our laptops. It's actually been a really good change.
Overreacting
Do as I did when my boss told me much the same. I pointed out that I don't use a mobile. It wasn't in my terms of employment so tough. If she wants to give me one then fine. It will be switched o a t 9am and off when I stop work.
Just refuse or if thats hard for you answer it to yor convienience. If there are complaints say that you don't use your phone,at home, on the bus, bog, job, driving or what ever.
Make life even easier and chuck the bloody thing away. Virtually all mobile use is not important anyway.
Some interesting overreactions here. The way I see it there are three sets of circumstances:
1. Field employee. Needs VPN access. Should be given work mobile.
2. Office employee wanting to WFH. Should just install an app that gives them a code to login to VPN - it’s there to make your life easier after all. You could just go to the office instead.
3. Office employee wanting to access emails, teams etc so they don’t have to sit in front of their laptop when they WFH. Should suck it up and install the monitoring stuff on their phone. It’s not like anyone is actually checking up on what you do and it’s for your convenience.
OP sounds like case 2.
If you need it because of mandated work from home during covid, then it’s probably unreasonable to expect your employer to buy everyone a mobile. Considering what the app does, I don’t get why there would be any problem.
For people saying they’d rather get a text, this way you have to give your number to someone. Surely an app is better?
So OP does your company not issue you a work phone, because that seems to be the real issue here. Whether the 2FA is an invasion of privacy is irrelevant if the company gives you a work phone and you choose to use it.
For people saying they’d rather get a text, this way you have to give your number to someone. Surely an app is better?
Tbh I'd rather someone had access to my number (something with which they can phone me and text me ) than install software that gives them access to my phone....
MFA / password generator is 'unmanaged' - that means you choose the permissions, you delete the app etc... The only thing the organisation does is 'seed' the app to make it uniquely linked to you otherwise all the appstore downloads are identical. There is no risk from this other than the risk that comes from the app itself. Personally I believe the convenience fully outweighs the risk (you are over-reacting). Union style responses IMO are bollocks unless you want to carry an extra 'thing' around, usually a physical token of some kind, but you should have that choice.
Mobile Device Management is an app that gives management control for the device to the organisation issuing the request. This is bad unless they own the phone in which case it's no different to when they give you a laptop. It can do things like track location, wipe data etc... i.e. all the bad stuff you don't want within a hundred miles of a personal device.
There is also a middle ground called Mobile Application Management where once 'provisioned' usually by you logging into a work resource from the app, the app itself becomes controlled by the organisation such that they can wipe data from the app if you leave or transgress. Examples include things like the MS Outlook app. Again, no risk other than you giving the app too many permissions but at this point your personal device is getting more 'worky' as it does more work things like communications and collaboration (e.g. Teams).
@trail_rat these MFA apps in no way give anyone control of the phone. When you log into the thing that requires MFA the app server generates a push notification on the phone for you to accept, or you enter a code shown on the app. The only control the company have is being able to remove the phone from their MFA system, thus stopping it from being able to get the codes. Nothing nefarious.
Not for any technical reason but because of the way I mentally “shut work out” after finishing up for the day. Having anything work related on a non work device would interfere with that.
It doesnt though when used just for multi factor authentication. You only get the notification if you have requested it eg by logging onto the vpn in the morning at which point you say yes and forget about it for the rest of the day (unless you also have the fun of needing to go onto servers which might need it every time).
Admittedly thinking on it there would be a certain pucker factor if I did get an out of hours request since it would mean someone has grabbed my username/password so would have to contact the security helpline to get it locked down.
I am someone who errs on the side of keeping work stuff well away from my own but have never bothered transferring my mfa app from my personal phone to the work one I got several months after it was rolled out. Just set the latter up for backup texts since then I can leave it off most of the time.
A long time ago now so I don't recall how it was done, I used to root my Android phone. It would allow remote wipe software to think it could remote wipe when it couldn't.
I don't root anymore as it's not secure for banking apps. Plus my phone gets synced to the cloud so it wouldn't really matter if it was remote wiped.
I now consider all my work contacts to be personal contacts for the progression of my career for whomever I may be employed by and so am no longer precious about using my personal device like I was 10 years ago.
Work is very give and take for me and as I'm not direct customer facing this approach works well.
I have a company email address so that I can receive emails directly, both to do with HR and policy stuff, and for staff information like offers for tickets to sponsored events, etc, which I don’t have a problem with. I also have 2FA, and the Google Authenticator as well. I’ve also got phone numbers for some other members of staff, should I, or they, need to get in contact urgently. It doesn’t get abused, and I think that if someone did start to ‘over-use’ the facility, words might be had.
I would not, however, agree to having business software put on my phone for their convenience; they can give me a phone for that specific purpose, and in fact we are all given tablets for work use, if they get damaged, they’re replaced, simple as that. I have no issues with carrying two devices, I used to bring my tablet home with me, because under previous management they were in short supply, people would forget to put them on charge, or damage them, then just help themselves to whatever one was handy that worked, and if I was on a late shift, I’d often arrive at work to find nothing but broken of shonky tablets left, which impeded my ability to do my job, which was taking the piss.
Now we all have tablets, they’re being treated with more respect, and we now leave them at work, so that IT can monitor them and more easily run diagnostics and updates over the business wifi, so I’m happy to leave it at work.
The nature of the work we do is such that very few people could work from home anyway, so the question doesn’t really arise; I think that Tom, our HR guy, is one of the few who does, but he lives close enough he walks to work anyway!
And as a new dad, it’s something that gives him a good work/home balance as well.
This is simple. If your employer requires you to have tools in order for you to be able to do your job then they should be providing you with those tools. End of discussion, next question?
Yes, an MFA app is generally innocuous, there's little harm in you installing (say) Google Authenticator onto your personal phone. And indeed, that's exactly what I did. The problem is that it sets a precedence. Today it's an authentication app; tomorrow it's email; the day after it's Teams and by the way we'll need to take control of your handset for security purposes (which as PJ says, they absolutely should).
There's little harm but, why should you? I'm paying for a mobile phone contract for my own benefit, not everyone else's. I learned this the hard way like 20 years ago, I thought "great, work are providing me with a phone, I'll save a fortune!" right up until I started getting calls from staff at sparrowfart on a Sunday morning wanting help in getting a game working on their home computer.
At the very least, if you're expected to use your personal phone for work purposes then I'd expect a contribution towards the bill.
@Cougar what if you need the MFA app so you can work from home? Would you refuse and request a work device, or just go into the office?
We had that situation, a handful of employees requested MFA codes sent to their desk phones, then realised that was stupid and switched to their mobiles so they could work from home.
To be fair our lot had MFA on appropriate devices before working from home gate.
When it was mandated to work from home the it department was fully set up for remote working.
That said it's the sort of thing I might do short term but in much the same way I made do with a shitty desk and chair for a month - 6 weeks when the end wasn't insight I put in a request for a desk chair keyboard mouse and my monitor set up from the office.
what if you need the MFA app so you can work from home? Would you refuse and request a work device, or just go into the office?
As above, I installed it on my personal phone for my own convenience. If work were mandating it then they can provide me with appropriate equipment.
If I'm a home worker and work requires 2FA then again, they need to facilitate that. "You have to provide your own personal smartphone or come in to the office" is insufficient reason to deny your legal right to Flexible Working.
I'm fully with Cougar on this and I think there's a lot of companies are burying their head in the sand at the moment with regard to working from home, because you know Covid. That was fine in mid 2020, but it's still going on and there really is no end in site, plus lots of businesses are seriously considering blended working without considering the implications. Absolutely my phone is my phone, it's not for work. I think there will big issues in future over works station setup etc. How many people have a compliant work space, adjustable chair, monitor, keyboard position etc.
Yeah, that's a whole other argument. An employer's responsibility for the health & safety of their workers doesn't change with regards to home workers.
My employer offers home workers something like fifty quid apiece towards a chair and a desk. My setup cost considerably more than that, I do wonder whether legally they should be on the hook for more.
How many people have a compliant work space, adjustable chair, monitor, keyboard position etc.
My employer works in occupational health and I've created content with doctors and physios addressing the risks to health around WFH.
They sent me the worst office chair I've ever sat on.
😀
A little while ago we got a refresh in the old office, new chairs throughout. I googled the model name, the first or second hit was "winner of 'world's most uncomfortable office chair' three years running." 😁