Forum menu
Nothing I do personally needs it.
I think you need to examine that thought process. Plenty of stuff you do personally does need MFA and you'd be frankly stupid not to enable it (unless you don't do anything online that is).
You are correct, of course. I do MFA so routinely on my iPhone that I don't notice it.
I would say that if you genuinely feel it's too much of a problem to have an app on your personal phone that you use for ten seconds every week or so then
a) You're working for the wrong company if their culture makes such a minor thing a point of principle
b) You are the problem, not your company
we have lost money due to staff negligence where they gave away access to their accounts through phishing etc, now with secure MFA this is much less likely
Sorry, point of order, but no, you lost money because of your ineffective cyber security. Phishing attacks and other versions of cyber crime can be incredibly sophisticated. Accusing staff of negligence because they happened to be the victim that day is unfair.
Likely senario - a phishing e-mail got through e-mail security to the end user. A link within that e-mail wasn't scanned and blocked. They clicked on the link and were able to go to a fake site because it wasn't protected by a DNS filter. They had their login stolen because you hadn't enabled one of a few ways to use MFA with, or without using someone else's device. Any one of those standard measures would have prevented this happening. Don't blame the users. They're not cyber crime experts. Many kinds of spear phishing attacks with a MITM element won't be prevented by MFA alone.
Sorry, point of order, but no, you lost money because of your ineffective cyber security.
Maybe ... or maybe in spite of significant investment in tools, processes and training, the staff member was negligent in their personal responsibility to recognise an attack.
Would you pay for your own boots and assorted PPE if you walked around the factory floor a lot?
In recent times if I have to use a phone for work it's either provided to me, or if I have a choice, they pay my personal phone bill and I use one phone. Things definitely get exciting with apps then though, and on the whole I'd rather have the work phone that I can leave at home when I'm not working.
In the old days, I had a pager. And I damn near got caught cause my beeper kept beeping.
Sorry, point of order, but no, you lost money because of your ineffective cyber security.
Maybe ... or maybe in spite of significant investment in tools, processes and training, the staff member was negligent in their personal responsibility to recognise an attack.
If every attack could be recognised, then cyber crime wouldn't be a $10tn a year 'industry'.
I have the Authentication App installed already as i use it for personal stuff. its no biggie really
Would you pay for your own boots and assorted PPE if you walked around the factory floor a lot?
The company are asking to use your smartphone, not buy one. The vast majority of employees will have a smart phone so aren't being asked to pay for anything. The few exceptions can be dealt with as such.
Thanks OP. You reminded me I had expenses to put in at work on my work laptop but accessed with an authenticator on my personal mobile. All sorted now.
Prefer the Google authenticator, which is totally offline, and should work in airplane mode too.
I only used that for work stuff, cos I had it installed already for other MFA stuff, and it literally is just a number generator. Although most of the team were reluctant to use personal phone for anything work related.
Also when you get a new phone, all the profiles simply appear on the new phone. M$ authenticator was a royal pita and in the end I just gave up and regenerated new MFA profiles.
Would rather use a Yubikey or similar.
If you don't already have Google or MS Authenticator already installed and used for personal stuff, then I wonder about your own personal security.
I work for the same company as the OP and I felt the same when the initial email came round the other day.
I've got the Microsoft authenticator app already though so it's not a problem.
Does feel a bit cheeky for work to just assume everyone is happy with that though.
I've had problems with my personal Microsoft account and am locked out of it because of the MFA and MS are ****ing useless and seem to just refuse to sort it out. Read this web page and do this, ok I'll do that, no you can't do that you have give us all this info, ok here have it all, oh we ignore all that because you have MFA enabled, but I can't log into MFA, oh you need to do this and give us all the info we ignore because you MFA enabled!!!!!!!!!
****ing ****s!!!!
Does your employer require you to have an ID card or pass to access the premises? Did you moan when they gave you one which you have to carry around with you outside of the premises so that when you get there you can get in? It really is just a modern version of that.
At the end of the day, if you don't want to do it, you can always get another job, your employer is unlikely to care very much to be honest if you are not willing to do something so minor.
I would say that if you genuinely feel it's too much of a problem to have an app on your personal phone that you use for ten seconds every week or so then
a) You're working for the wrong company if their culture makes such a minor thing a point of principle
b) You are the problem, not your company
Christ did you hack my appraisal form?
I don't think its a problem its more the cheek of an email that basically said "today everyone must install an app on their phone for our security" i mean i'll do it but i do think it's interesting that security requires personal devices. But i do genuinely hate reminders of work when i am not working. I quite like my work and everything.
I've forgotten my phone before now. But if I miss a days* work because i forgot my personal phone i expect to be paid in full? If it was a work phone like my laptop, if i forgot that i'd probably be making up the hours.
*I can't forsee a situation where that could happen.
My previous employer tried this (plc making 100s of millions). I was very vocal in saying no. Compromise was receiving a text code when logging in when not in the office. No work app or software on my phone.
Does your employer require you to have an ID card or pass to access the premises?
No? But then equally they gave me a card to use i can keep it in my work bag until needed why would i moan.
this is more like you only get in the building if you swipe your clubcard but i shop at Waitrose.
My previous employer tried this (plc making 100s of millions). I was very vocal in saying no. Compromise was receiving a text code when logging in when not in the office. No work app or software on my phone.
This was essentially the announcement of that ending.
I have no work apps on my phone because i don't like scrolling and seeing "workappTM" when its a sunday.
You know, if your company uses proper MDM and you are on Android, it'll set up a 'work profile' with work versions of all your apps segregated from your personal stuff. This is more secure, but importantly you can turn off the entire work profile with a button - for weekends and evenings etc.
I find attitudes to employers slightly odd. Unless you are independently wealthy and are working for fun aren't you reminded of work every time your mortgage payment goes out, money magically appears in your bank account or your personal phone bill is paid.
IDK how folks manage without using MFA for personal things.
They get their accounts compromised a lot that's how ...
OP - just live with it or work in the office 5 days - ms and google are now thankfully enforcing mfa everywhere (about time too)
My work pass is an app on my phone. Means I’m much less likely to lose/misplace it. They don’t provide me with a phone, or mandate that I have to have the app, but if I don’t, I can only get into the office when someone else is there which isn’t convenient for me.
i have a folder for maybe 6-8 work apps, so it’s easy to ignore. None of these apps are mandated, but they make life easier for me. To refuse them on principle seems silly to me.
I find attitudes to employers slightly odd. Unless you are independently wealthy and are working for fun aren't you reminded of work every time your mortgage payment goes out, money magically appears in your bank account or your personal phone bill is paid.
I always kept a 100% solid barrier between work and home. Never mix the two at all in any way. Requiring me to use a Microsoft or google app on my own phone would not be acceptable to me.
Its lazy and cheapskate from the employer - and a security risk as they do not control that device.
They need to give you a work phone if they want you to use a phone for work.
‘They’ really don’t.
If you need a phone to do your work then work HAS to supply one. What happens if you do not have one that is suitable? Do you have to go out and buy one?
Your work has NO right to expect you to use your own stuff for work. You can agree to but they cannot make you
there are lots of jobs which expect you to provide your own tools. Now there may be an interesting point if you’ve been there long enough to get employment rights but they don’t have to give you a job at all. And the next employer may have written it into their policies before you arrive! I suspect most companies have a way of dealing with the stubborn **** who refuses to use their own phone for MFA - and it probably involves someone buying the cheapest, shittiest, heavy, bulky android phone they can find to teach you a lesson.
feel free to explain the security risks to the IT professionals on the forum…I find attitudes to employers slightly odd. Unless you are independently wealthy and are working for fun aren't you reminded of work every time your mortgage payment goes out, money magically appears in your bank account or your personal phone bill is paid.
I always kept a 100% solid barrier between work and home. Never mix the two at all in any way. Requiring me to use a Microsoft or google app on my own phone would not be acceptable to me.
Its lazy and cheapskate from the employer - and a security risk as they do not control that device.
I do not know enough to do so but two essays on the net from HR and IT pros said there was. I think theft of phones was the main one.
and it probably involves someone buying the cheapest, shittiest, heavy, bulky android phone they can find to teach you a lesson.
Which I would be fine with. That phone would never leave my workplace.
You are correct, of course. I do MFA so routinely on my iPhone that I don't notice it.
Which is a problem in itself. Once it becomes "don't notice" then its an exploit waiting to happen and a strong argument for not having work stuff on a personal phone.
Have had a few fun conversations with the security team that they need to get on top of the "MS and okta are bored so are going to trigger some random request for outlook/teams/sharepoint" since if it throws them up every five minutes then I will just tick yes and not notice its asking for access to cyberark.
it’s precisely those sort of things MFA is designed to avoid, and the postit notes with the password, or the same login which everyone in the same office uses, etc.Same at our place as of next week.
Already had emails and guides about installing Microsoft Authenticator app. 🙄
It's another one of those low-level embuggerances that ironically often makes things less secure. Like the stupid requirement still in force at some workplaces to change your password every X weeks. All it does means people go from Password17 to Password18.
I watched a customer screen share and login to their system today with a password which did the character visible for 0.2 seconds thing - it wasn’t a particularly imaginative password either… I hope they have MFA enabled because there were 17 people on that call - half of them from outside his company and he does this sort of call several times a day!
and it probably involves someone buying the cheapest, shittiest, heavy, bulky android phone they can find to teach you a lesson.
Which I would be fine with. That phone would never leave my workplace.
Assume any work equipment you were issued would never leave your workplace? So you wouldn’t need the phone, as your kit would always be connected to the work network. I imagine most of the folk advocating the use of MFA apps aren’t forcing themselves into work everyday, and can work away from the office at their convenience. You may feel different if you did too.
So you wouldn’t need the phone, as your kit would always be connected to the work network.
That's not how it works.
and it probably involves someone buying the cheapest, shittiest, heavy, bulky android phone they can find to teach you a lesson.
I'll start with I refuse to have any work things (apart from the odd STW post) on any personal devices. This isn't really down to any easily definable binary logic, it's just part of how I maintain healthy barriers (from a personal and subjective perspective) between being at work, and not. Where exactly those barriers are for each of us is entirely dependent on the individual, and not a 3rd person commentating.
I didn't actually have IT seeking out the worst phone they could find, it's what I asked for. I think it's actually 3rd hand, but as all it's doing is taking MFA requests and the odd spam call that's ok with me. If I worked somewhere that didn't want to provide a dirt cheap phone, well, they probably aren't the employer for me unless the pay is good, when id just buy a dirt cheap handset on PAYG. I only got the current handset as my previous was not 4G and the network switched off.
I'm sure some other posters will dismiss this as daft, over the top, but, well... they can go **** a duck. If it helps me keep my work stresses from negatively impacting my mental health it's what I'm going to do.
Assume any work equipment you were issued would never leave your workplace? So you wouldn’t need the phone, as your kit would always be connected to the work network. I imagine most of the folk advocating the use of MFA apps aren’t forcing themselves into work everyday, and can work away from the office at their convenience. You may feel different if you did too.
Huh, I don't get stuck into the set up of MFA that much apart from users accessing 3rd party stuff. This reads like your employer has set something up so if you connect to the office Wi-Fi no MFA is required? That certainly is not the case with my employer, makes no difference whether you're in office or not
So you wouldn’t need the phone, as your kit would always be connected to the work network.
That's not how it works.
Oh and too late to edit but I’ll bet that TJ’s reports from HR (???) and IT Pros are about accessing corporate data on a personal phone, which IS a security risk and any security conscious organisation will actively block this.
As I said I do not know enough about this stuff to have an informed view really - I can only go with what others say including those of you with knowledge here. These are some of the articles - it was late last night and I had been at the beer when I made the post so couldn't be bothered to look it up then again
With the increasingly common use of 2FA (Two Factor Authentication) to enable access to secure sites and apps storing sensitive and critical data, mobile phones are a valuable tool. And in this case even employees who are not required to constantly make outbound calls, a personal phone is a point of significant vulnerability. Should the device be lost or stolen, these critical enterprise apps could be accessed by criminals or bad actors using 2FA on the device, with the risk of fraud, theft, and again heavy fines.
Also ICO guidence
So, from a skim read, those articles are talking specifically about BYOD (Bring Your Own Device ) which is generally understood to mean using your own device to access corporate data and as per my post above is a “no”. What they are saying in the article is that MFA will not protect the corporate data if it is accessed on a personal device, that also has the MFA authentication tokens, when it has not been properly secured and a bad actor has gained access to the device.
there are lots of jobs which expect you to provide your own tools.
And this will be reflected in the tax system in use where expenses for work equipment can be reclaimed. Good luck with trying to claim back anything phone based from HMRC.
I'm with TJ, if work needs something specific for IT use work provides the necessary equipment. With YUBI Keys at £50 inc VAT before volume discounts it's a cheek to ask your workforce to further support the bottom line.
The system I support is vulnerable because the owner doesn't like the faff of MFA, I've secured my account as it's the Admin one but everything else is password only. (There was a bit of a battle about social media and Google accounts that needed some risk explanations before they were secured).
If your work doesn't supply trousers, do you refuse to wear your own and turn up in your y-fronts?
I think an element of pragmatism is required and the employer might reasonably assume that most people will be fine with it as it costs the employee absolutely nothing to comply. One might argue that most employers offer more than the statutory minimum holiday, sick pay, etc etc so asking the employee for a bit of leeway here is not unreasonable. It will not introduce any significant additional wear and tear on the device so really a minor inconvenience in the general scheme of things. I 100% agree that if they were asking you to use your device for doing actual work then that is unreasonable but this IMO is not.
The system I support is vulnerable because the owner doesn't like the faff of MFA, I've secured my account as it's the Admin one but everything else is password only.
Oh dear. It's probably only a matter of time before he/she revaluates that against the faff of recovering all their data/paying a massive fine/losing his/her business entirely.
but as usual you are projecting from your workplace environment - a job which is done in person, in a specific building to every other employer and career in the world. I seem to recall that you at one point were working across multiple sites - and so that bulky device would be inconvenient for you to carry. Even moving between wards a discrete device would probably be handy.and it probably involves someone buying the cheapest, shittiest, heavy, bulky android phone they can find to teach you a lesson.
Which I would be fine with. That phone would never leave my workplace.
now from a security perspective which is better “TJ’s” company brick that he leaves on his desk charging and which anyone in the office can “borrow” and probably learns the PIN number quickly! Or a device that is personal to the individual and likely is neither left unattended nor the password/face/finger security bypassed for random colleagues. The entire principle of MFA is about something you know (your password) and something YOU physically control. As soon as that device becomes another “post it note” left for all and sundry to access you’ve broken the system. Of course it should be locked away if not in use, you probably should have something more than 1234 as the PIN code and never tell it to anyone - but IT security have to deal with the reality not theory because the consequences of a breach are potentially far higher than someone getting unauthorised access to the pool car or drugs cabinet.
of course it’s easy for a person who is retired to declare they would never put up with it; just as it is easy for someone in the public sector to say they must provide you a device. The rest of the population live in the real world and need to pay their bills and don’t necessarily see everything their employer does as an attack on them: it’s perfectly legal for an employer to say it’s a condition of working for us that you must have a smartphone and it must run a particular app - in many hospitality jobs without that you wouldn’t get any shifts, in some places you use the app to clock in and out, and certainly the employment tribunal panel are likely to have done exactly the same to access the court IT system so probably not going to have too much sympathy! Misinforming people of their rights doesn’t help them.
If your work doesn't supply trousers, do you refuse to wear your own and turn up in your y-fronts?
Unless it's PPE, this is a bit of a public sector/uniform thing and HMRC will bung you a few ££ to wash it. People who weren't public facing opted to wear their own clothes at their own expense.
Investigators who didn't wear uniform were entitled to a (very) small allowance that might just about keep them in y-fronts
A guy I used to work with had his hair cut during work hours, "Well, it grows while I'm at work"
The rest of the population live in the real world and need to pay their bills
Those bills don't include some the employer should pay. It takes time but they can be educated that work equipment is supplied and replaced by work. I go out to ensure Sanwich Inc can afford some shiny things along with the household bills only. Too many in the world of work don't see that they need to pay their way, this is a fallacy. If a business will fail because it relies on "free" stuff it's not a viable business.
Back to MFA apps:
I think that my phone does MFA through my apps; banking, email, etc. because all need the phone to access the content.
If I go on the bank website then I either use a card reader/number generator gadget or the app to supply a code. So far, so good (I think)
For other stuff:
Does it matter if I use the MS app to access Google services via website (and VV), i.e one app only?
What happens if I lose the phone? Does this mean that I'm effectively locked out of everything? I can ring the bank, but what about MS, Google, etc?
And this will be reflected in the tax system in use where expenses for work equipment can be reclaimed. Good luck with trying to claim back anything phone based from HMRC.
I haven’t checked but I expect the rules on tools are actually similar - if the tool was mainly used for non work activity but incidentally used to help a work task then it will not be tax deductible! So if you genuinely are the one person of working age in the country without a smartphone and who’s job involves using a computer I’m sure HMRC could be persuaded that buying a £50 Android phone (but not the SIM card - it should work for MFA with WiFi only) was an essential business expense.
that’s fine when the time comes for pay reviews your employer will know who goes “above and beyond” for the company and who spends more time arguing about the fact they were still in the office at 1701 and had to use an app to authenticate. The same employers may have to consider policies about working from home or allowing personal mobile phones to be carried in the office. It’s not a war but you can make it one. Best to do that in boom times when the market for employees is in your favour!The rest of the population live in the real world and need to pay their bills
Those bills don't include some the employer should pay. It takes time but they can be educated that work equipment is supplied and replaced by work. I go out to ensure Sanwich Inc can afford some shiny things along with the household bills only. Too many in the world of work don't see that they need to pay their way, this is a fallacy. If a business will fail because it relies on "free" stuff it's not a viable business.
in terms of workplace unfairness this is so low down on the spectrum of problems - go ask someone in hospitality where shifts get cancelled 15 minutes before you start or people get sent home because it’s quiet (without compensation) or where asking not to be rosta’d for a particular day gets you labelled as difficult and used less often. Those are the fights worth having. Those are the people getting paid minimum wage and exploited not someone who is probably occasionally posting on STW on company time!