Forum menu
IT telling me i must install microsoft mfa app on my phone to access my work laptop.
On principal i don't want to. Because i am awkward. But how is an IT system security reliant on personal phones?
But how is an IT system security reliant on personal phones?
It isn’t, it’s just the easiest way of doing it. Would you rather carry 2 phones around?
It's an access point to their systems. Every access point is a potential threat.
Simple solution is do not use your personal phone to access work email.
Nono you misunderstand. I don't access anything on my phone thats my policy. This is so i can access stuff on my laptop!
Simple solution is do not use your personal phone to access work email.
It is just a one time passcode algorithm that replaces those RSA hardware dongles we used to need. No security issue.
We had so much bleating about this at our place when we 1st changed from hardware token generators. If you don't like it get your arse into the office 5 days a week where you don't need it - funnily enough people soon got used to it.
IT telling me i must install microsoft mfa app on my phone to access my work laptop.
On principal i don't want to. Because i am awkward. But how is an IT system security reliant on personal phones?
My sim died a few weeks ago, so I couldn't access the MFA thing. Our in-house admin changed the user from me to him so that he could receive the code and then told me what it was. That's how (in)secure these things are.
If you don't like it get your arse into the office 5 days a week where you don't need it - funnily enough people soon got used to it.
They need to give you a work phone if they want you to use a phone for work. Not a chance I would do that.
As someone who has to enforce this stuff - sorry - it's because you're more than likely already using your personal phone for MFA for your own stuff*, and it's far more convenient to ask you to add another account to an Authenticator app you already have and use than have to separate it out - it's simpler for a start because at least in theory you already know how that app works and what it's for.
I have a works phone for on call rotas (from long before MFA was mandatory), and my works authenticator is on there, but if I didn't I'd actually prefer everything to be on my personal phone. The Authenticator app isn't revealing my personal phone number to the world (unlike the on call rota) so I'd be happy for it to be on a personal device.
NB - and seeing that TJ has replied with similar to what he did last time this came up: It doesn't always have to be a mobile, but if it's Microsoft based then they push mobile app as first line of MFA because it's far more secure than SMS or Text. There are second line alternatives like FIDO2 tokens, but in Microsoft's stack you still have to have a mobile app in place as line 1. RSA tokens are no longer considered particularly secure, and certainly don't work with most modern systems.
Always easy enough to claim you don’t have a personal smartphone 🙂
Same at our place as of next week.
Already had emails and guides about installing Microsoft Authenticator app. 🙄
It's another one of those low-level embuggerances that ironically often makes things less secure. Like the stupid requirement still in force at some workplaces to change your password every X weeks. All it does means people go from Password17 to Password18.
We all have to use Microsoft MFA at work - it's nothing to do with using your personal phone for work - they don't even have my mobile number, but occasionally the laptop will ask for MFA, especially when working from home.
As someone who has to enforce this stuff - sorry - it's because you're more than likely already using your personal phone for MFA for your own stuff*,
Like what? The one and only reason I have MFA on my phone is for work. Nothing I do personally needs it.
My sim died a few weeks ago, so I couldn't access the MFA thing.
I have no idea why that would be the case, they don't need a network connection to work, mine works just fine with the phone in airplane mode. It is just a piece of software combining a token with the timestamp and creating a code, the same calculation is being done somewhere else - compare the two for a match.
I have no idea why that would be the case,
If IdleJon had MFA setup to send a text message to a phone then a buggered sim for that number would, well bugger it up.
Fair enough, I forgot about the archaic text OTP implementation. Maybe it would be better if you were moved to an app on your phone 😉
As someone who has to enforce this stuff - sorry - it's because you're more than likely already using your personal phone for MFA for your own stuff*,
Like what? The one and only reason I have MFA on my phone is for work. Nothing I do personally needs it.
Then a lot of your personal accounts are insecure. Absolutely anything financial of mine has MFA on it - banking websites, PayPal, the little bits of Crypto I do - plus rarely used email accounts. It may be out of date guidance now, but there used to be the adage that 99% of the regularly seen 'hacks' (stolen password and account compromises) could be prevented with effective MFA.
It might not even need to be the Microsoft app, the Google one or any number of other ones will probably work as well but the Microsoft one is nice for MS stuff as it just gives you a pop up on the phone that you accept. I'm surprised if anyone doesn't already have one on their phone already for things like Amazon or Paypal. A quick look at mine (I use the MS one for most things) and I have 30 accounts linked.
They need to give you a work phone if they want you to use a phone for work.
‘They’ really don’t.
If you need a phone to do your work then work HAS to supply one. What happens if you do not have one that is suitable? Do you have to go out and buy one?
Your work has NO right to expect you to use your own stuff for work. You can agree to but they cannot make you
edit: too slow, what pyro said
and double post, haven't had that in years
In the modern work environment security is important so it is good that the OP's employer is taking it seriously. There is no massive downside to having an authenticator app installed. It does not expose personal information or consume much in the way of resources and using personal devices is the simplest and cheapest way to do this.
There are plenty of big companies such as JLR and M&S that have been hacked which has had a big impact on them and may result in job losses.
If they were asking to install software that could track your location or snoop on your Internet activities then hell no but these auth apps (generally) do not do that.
if it is just for MFA tokens and I don't have to put a work profile on the phone then this would be OK by me. Easier than also carrying around a Yubi key or RSA tag.
Having said that, I also have a work iPhone and use the MS authenticator on that for work MFA.
IDK how folks manage without using MFA for personal things.
IT telling me i must install microsoft mfa app on my phone to access my work laptop.
On principal i don't want to. Because i am awkward. But how is an IT system security reliant on personal phones?
If it's just MFA, it doesn't matter which one you use, you can use google if you prefer. However, if it's Intune MDM then say no, or **** off, or don't take the piss.
This is a big issue with IT / Industry at the moment, they want MFA and they want it app based because it's more secure than SMS, but they don't want to supply all staff with mobiles. TBH the industry 'uneasy standard' at the moment is that SMS messages are acceptable for users without supplied phones. Or, they provide things like YubiKeys
There are plenty of big companies such as JLR and M&S that have been hacked which has had a big impact on them and may result in job losses.
and Tesco.
Without knowing anything about these hacks are the CIOs and CFOs first on the 'moving on' list? These are the two C-suite folks who should have been planning and spending to prevent these events and minimise their effects on business.
My work said the same.
I use 2FAS Auth on my phone for personal 2fa stuff and did not want to install Microsoft Authenticator
So I just set up the work auth as another entry in 2FAS instead. It works fine.
From an employer perspective they really don't care what you use as long as you use something. I expect they would provide a shitty cheap phone for you to use just for this. It doesn't even need to have a network connection. But do you really want to have to keep another device charged just for the sake of being awkward?
i have over 300 users on system here, i enforce authenticator MFA for everyone, it's the only supported form of MFA that we currently allow
we have looked at crypto keys etc but currently just use authenticator
we have lost money due to staff negligence were they gave away access to their accounts through phishing etc, now with secure MFA this is much less likely
protects them and us
I have way more personal accounts in my phone for MFA that than ones relating to work
there are NO downsides, only upsides
you can be awkward and ask for an alternate method like a crypto key, but your more likely to forget to carry that than your phone
Like i say i don't particularly care it just seems quite funny.
I have no work apps on my phone because i don't like scrolling and seeing "workappTM" when its a sunday.
My petty workaround is going to be set the push notification to full volume of me shouting "THIS IS THE APP WORK MADE YOU PUT ON YOUR PERSONAL PHONE CALLING"
👹
They could provide a YubiKey or similar. Or make you work on a desktop PC in the office rather than a laptop at home.
The mfa is for account access not the computer so you would still need one regardless of where they make you sit.
My petty workaround is going to be set the push notification to full volume of me shouting "THIS IS THE APP WORK MADE YOU PUT ON YOUR PERSONAL PHONE CALLING"
Or... just don't have push notifications turned on.
And don't use the one work specify, than it's not a work app. Bonus is you can use it to secure personal stuff as well.
Nothing I do personally needs it.
I think you need to examine that thought process. Plenty of stuff you do personally does need MFA and you'd be frankly stupid not to enable it (unless you don't do anything online that is).
It might not even need to be the Microsoft app, the Google one
Correct Google authenticator works just fine with MS. It's companies that insist on Duo that I find annoying as its another app that has to be running.
If you need a phone to do your work then work HAS to supply one.
Doesn't work like that in the real world as much as you might want it too.
Yeah we have accounts that require it too not just remote access.
We had a process for awkward buggers to winge at their managers and insist on an old school RSA dongle even though almost everbody has a smart phone. I've always worked on the basis that the less a I bring inconsequential issues to my mananger and waste their time resolving the better.
Plus if I have apps on my personal phone that I need for work nobody can complain when I am looking at crap on the internet during work time.
Nixie - it does for sure. As I said what happens if you do not have a smartphone?
There is always a work around for folk as Robola says. work cannot make you use your own devices for work stuff
What happens if you do not have one that is suitable? Do you have to go out and buy one?
They could provide a YubiKey or similar. Or make you work on a desktop PC in the office rather than a laptop at home.
if they make you work from the office, do they have to get you to the office in order to access the machines too? Or do you you use your own means (car bike shoes etc) to access them?
Same thing
We've been through/going through this, and its potentially not as trivial as its described. At least one of the cyber hoops we jumped through (possibly Cyber Essentials+) wanted any phones used for business use to be on the latest version of the OS. Cue lots of discussions along the lines of:
[Company] You'll need to upgrade to iOS 99 (or whatever)
[Employee] My phone won't upgrade
[Company] You'll have to buy another phone
[Employee] My phone is fine, I don't want another.
[Company] We'll give you a phone
[Employee] I don't want 2 phones
In the end the cheapest option was some cheap wi-fi tablets (I currently have 7 different MFA applications installed).
There's a lot to unpick here, much of which has already been said.
Firstly, I'm kinda with TJ (and the OP) here in that if work requires you to have a tool to do your job then they should be providing it. What happens if you don't have a smartphone?
That said, adding a work-related MFA token to whatever authenticator app you already have is innocuous enough. It's not installing a work app, it's merely adding an entry into an app you should already have.
If you aren't using MFA for personal stuff then you really should be, certainly for anything you care about. Passwords are not fit for purpose. If your email is compromised then someone can go on an "I forgot my password" spree and pillage your life.
If they want to push Mobile Device Management to your phone then that's a hard pass and they absolutely should be providing you with a work phone - it will take over your device and it is by design a bitch to remove.
Incidentally, is the only form of communication with work / customers via the laptop (Teams etc)? What happens when you have an IT issue and can't log in?
When you say "to access my laptop" do you mean to log into Windows or to use apps? My personal Microsoft account no longer has a password at all, it's associated with my laptop via a PIN so is in effect inherently MFA. (Why aren't they using Microsoft Hello for Business?)
Yes there might be a work around but making a big deal out of something this minor is a stupid way of making yourself stick out. Also what happens on the day you forget the alternative method? IMO refusing this kind of request is akin to expecting your employer to pay for shoes if your job required you to walk around the office lots or to pay for your suits because they require business dress? Also the number of people without smart phones is vanishingly small now.
I wrote about this, it'll save some typing.
Old McDonald Had a Password, M, F, M, F, A. – Blue Team Hackers
At least one of the cyber hoops we jumped through (possibly Cyber Essentials+) wanted any phones used for business use to be...
"Used for business use" as in having an MFA token or using Office etc apps?
From the other POV at least one major US tech company manages to supply all their employees with multiple security tokens. Without them they can literally do nothing other than splurge on the free office food.
It is petty as you say in the title OP. Refusing is a bit like saying I’ve got keys to the office so they need to provide me with trousers to keep them in.
I expect if you make a fuss they will give you a phone that you will need to carry in addition to your personal one and don’t be tempted to use it for anything other than work as I imagine they can also be a dick about things if they want to.
I kind of agree that they should provide you with a phone but the cost of providing mobiles and contracts for all staff will be prohibitive and not enforcing MFA will leave them vulnerable to attack. If they get Ransomwared and go bust/have to make you redundant, because everyone refused to use their phone to generate a code then presumably you’d wish you used MFA on your phone…
IMO refusing this kind of request is akin to expecting your employer to pay for shoes if your job required you to walk around the office lots
Would you pay for your own boots and assorted PPE if you walked around the factory floor a lot?