Forum menu
What happens if I lose the phone
Some services allow you to use the MS app on more than one device. For my work I have it on my own phone and a work-provided tablet. We’re required to use it for logging into everything, both on and off site, so it’s used multiple times per day across both devices.
Having said that, I have resisted attempts from some of the websites I use to set up a passwordless login because of the potential hassle of being tied to one device if that device is then lost.
but as usual you are projecting from your workplace environment - a job which is done in person, in a specific building to every other employer and career in the world
Actually I am thinking from the point of view of trade union and employment law. But hey ho - continue to enjoy your stockholm syndrome
I'm obviously a bit stupid but if you don't want to use a phone for 3rd factor authentification what do you suggest you do instead? A totally separate device.
Do you actually understand what's trying to be done here?
you are still projecting from your bubble of a trade union protected industry - it’s not the 1970s most of us don’t actually work for employers where unions carry the sway they do in the public sector. But do tell us where in employment law it says it is illegal to ask your employees to use their own personal phone to authenticate logging in to your network? Next time an NHS trust suffers a major security breach perhaps someone will pause to think whether the staff made it harder for them to introduce very simple processes that actually cost the employee nothing that protect patient data.but as usual you are projecting from your workplace environment - a job which is done in person, in a specific building to every other employer and career in the world
Actually I am thinking from the point of view of trade union and employment law. But hey ho - continue to enjoy your stockholm syndrome
What happens if I lose the phone? Does this mean that I'm effectively locked out of everything? I can ring the bank, but what about MS, Google, etc?
I can’t speak for the MS one but the Google one has an icon (a green cloud with a tick) which confirms the codes you have are being synchronised to your Google account - there is a process to restore them to another device. I assume MS have something similar. Many individual services will offer a fall back option like one off barcodes to be used for disaster access.
If your work doesn't supply trousers, do you refuse to wear your own and turn up in your y-fronts?
Only if I can claim for the Y Fronts on expenses
But do tell us where in employment law it says it is illegal to ask your employees to use their own personal phone to authenticate logging in to your network?
Its no illegal to ask nor is it illegal to refuse. It would be illegal to penalise a person who does not or cannot do this. As above what happens if you don't own a smartphone? What happens if you do not want your phone to connect to google?
Again - enjoy your stockholm syndrome. perhaps you should unionise? 🙂
As above what happens if you don't own a smartphone? What happens if you do not want your phone to connect to google?
If you don't own one then I would imagine the employer would provide you with an alternative method as an exception.
It doesn't connect your phone to Google/Microsoft/ANOther MFA token provider (unless you use their services for backup purposes). It's just an app provided by them in order to make it easier for users to secure their data.
You are right that they can't force you to legally but like I said a degree of pragmatism is required. When considering the implications of enforcing MFA the CEO/person in charge will have made allowances for the minority who refuse and will have an acceptable (from a security perspective) alternative that they can enforce.
Why on earth are you blathering on about Stockholm syndrome? Being at work doesn't have to be a constant adversarial tussle. Jobs are quite useful things to have if you haven't yet retired. I see these attitudes most commonly in people who have been at one company their entire career. If you've ever been on the wrong end of redundancy and struggled to find new employment with a family to support then you tend to have a different perspective on the place that pays your wages.
But hey ho - continue to enjoy your stockholm syndrome
By your own admission you don't know enough about the subject to actually have an informed opinion, and yet you're more than happy to throw the petty insults around at people who don't share you black/white world view. Perhaps it's time to leave the thread when your position is well understood by everyone and you don't appear to be able to be persuaded otherwise?
By the by; Access to the NHS email account now requires MFA if you log in via the web-page.
As I said I do not know enough about this stuff to have an informed view really - I can only go with what others say including those of you with knowledge here.
TJ - those are addressing a different risk - allowing users to access company data from their own phone. Security professionals have mixed views on that from unimaginable to manageable with the right tools. In part it depends on the sort of data - but we aren’t talking about accessing company systems from the phone here we are talking about an app that generates a seemingly* random code which verifies you have access to a device you have previously set up to generate those codes. Same concept as the card reader you possibly had for online banking 10 yrs ago.
(* they aren’t actually random - but there is no realistic way for anyone to find the codes without the trusted device)
there is still a risk that I lose my phone (or have it stolen), have no or insecure password set and don’t alert IT before someone who has also obtained my password now accesses the systems. Ultimately you can point a gun at my or a loved one’s head and I’ll log in for you - so no system is totally secure.
It’s no less secure on a personal device than a work one - possibly more so as people are likely more careful with personal devices, don’t leave them lying in drawers etc. Company data never touches the device and the device does not need to connect to the company network.
Its no illegal to ask nor is it illegal to refuse. It would be illegal to penalise a person who does not or cannot do this. As above what happens if you don't own a smartphone? What happens if you do not want your phone to connect to google?
Genuine question - has anyone's company actually stated that an employee will be penalised for not complying or are they just trying to operate pragmatically in a tech enabled world?
Again - enjoy your stockholm syndrome.
Balanced nicely against a world of paranoia and anti-establishment.
If I still worked I would be very happy that my company cared about IT security, even if it meant the very, very slight inconvenience of having to use my phone to log in. Look at all the hacks that have happened in the last year. Any one of them could have resulted in the company completely failing, and putting everyone out of work. Obviously, it's never said how these hacks happened, but adding MFA must reduce the chance of it happening via a user logging in from home.
Obviously, it's never said how these hacks happened, but adding MFA must reduce the chance of it happening via a user logging in from home.
One more time with feeling.
Its
Nothing
To
Do
With
Working
From
Home
🤣
Whatever, the point is still valid (to me).
Why on earth are you blathering on about Stockholm syndrome? Being at work doesn't have to be a constant adversarial tussle.
I think this is the key point for some folks. It's not about working from home or the technical aspects of what is actually happening (all that is happening is that you are using a device that you own and always have with you to say it is you logging in). It's more that some people like a really hard separation between their work and their personal lives and it's an emotional thing. I imagine any sensible employer would have ways of handling that. For me it is much easier to have one device that I keep charged and which i always carry with me anyway so it is zero additional burden. My work is already part of who I am and I don't have seperate work and personal lives a la severance.
ta leffeeboy. that's the point exactly
You've got two choices.. Install Microsoft or Google authenticator on your own phone or the company will have to provide you a company phone for authentication purposes.
MFA is sadly a fact of life.
Personally I use the Google one and you can hook that up to work with Microsoft Auth with a bit of jiggery pokery.
What's the lowest level of phone you can run those apps on? Pretty low I imagine. You'll need another SIM though.
Does it have anything to do with working at home? Well if it turns you're working at home, but haven't done anything as you can't login on the grounds of personal ethics you might be in line for a tricky chat -)
Does it have anything to do with working at home?
Not really
Id install it. I have a work phone as a complete separation, I'm not tempted to catch up when not working. teams, Outlook etc are on there along with authenticator.
All my team and managers have my own number if they really need me or want to chat crap.
What's more annoying is having to be pinged a code to Outlook on my phone (or a text or call) each time I log into edge, Outlook, teams, powerapp, SharePoint following a data breach elsewhere within the group. Each morning I'd forget run along my start bar and open the apps up only to be greeted with multiple requests that I'd have to cancel then run through one by one. That issue has improved now but I normally get one while in a meeting and have to share my screen only to be greeted by a log in request. The worst are Outlook on my phone asking me to put in the code sent to Outlook on my phone ... Sms it is then.
TJ has a very militant attitude to work, and he seems to assume that it's all evil bosses abusing us. I don't see it that way. I am part of a bunch of people who are all working towards a common aim which is helping out other people in their jobs. I don't mind this at all. If you came to me and said 'I can't work out where this creaking is coming from on my bike' I'd have a look and help you figure it out. That's more or less what I do at work, only I get paid for it. I just did a bit of learning for something that might help me do my job better, primarily because I'm really interested in it.
I think if I felt the way that TJ seems to think about my workplace I'd find a different one - I can't stand to do a job I'm not interested in, but conversely if I am interested in it I don't mind thinking about it.
Each morning I'd forget run along my start bar and open the apps up only to be greeted with multiple requests that I'd have to cancel then run through one by one
Your organisation needs to seriously consider implementing SSO on an Entra joined device.
I think if I felt the way that TJ seems to think about my workplace I'd find a different one - I can't stand to do a job I'm not interested in, but conversely if I am interested in it I don't mind thinking about it.
Where as i find my job interesting and i like but it gets left at the door and i like to come back refreshed.
I deal with this at my work, in our small team of devs 1 doesn't own a mobile and one doesn't want to use their personal mobile for MFA. Both have been offered cheap works mobiles to use instead. It's not hard.
Incidentally,
MFA is not (necessarily) "an app on your phone." A laptop joined to the domain with a fingerprint reader is two factors of authentication - a certified device and a biometric check. The whole point of MFA is to provide something in addition to a password, a separate physical device on your desk is one such option.
Please read my blog post. I gain nothing from you doing so, but it'll save everyone a lot of typing.
Good luck cracking the password on my personal Microsoft account, it doesn't have one.
Handing out corporate phones doesn't solve the problems because they are expensive and yet another asset to maintain; better to hand out yubikeys but they have a cost; and text messages and codes to email are not strong enough.
MFA is going to happen for all of us in both work and personal and this idea that you can belligerently refuse to use it on a personal device pretending you don't have one is daft. Feel free to work for a company that doesn't bother and roll the dice to see if they last.
Getting to the point where you regularly authenticate on more than one device means we get past using passwords every half an hour and that's easier than typing ever longer codephrases
just as it is easy for someone in the public sector to say they must provide you a device. The rest of the population live in the real world
I think this is a TJ thing more than a public sector thing!
You can run authenticator on most phones but need android15 or equivalent to use passkey which is the strongest method
If your phone is that old that you are wondering whether it will run authenticator, get a new one because the risk of a lack of updates isn't worth it, not just for the mFA but your personal stuff
we have a similar system to access our wage slips and manage holidays .
Except you get a QR code to scan and generate a 3 + 3 code to gain access.
It never works, Usual faffage of multiple attempts require password reset, but not just one password ,, There are 2 . 1 for log in to generate the QR fiasco and another complex password recovery version.
Needless to say I can never get the thing to work and just dont bother logging on which is a shame as we have other content creators who post up information which is sometimes useful or interesting
Anything must be better than our system (where we have been directed that no two passwords can be the same, which does confuse things as no two login ids are the same either). Turn PC on, logon, login to 365, login to registration system, login to business world and then there are various not often used things to login to as well. Then they all have different change password rates, some 4 weeks some once a year.
I can find most people login details for all of these systems within about 5 minutes, usually on a piece of paper under the keyboard.
I know somebody has already mentioned it but your IT people really need to get single sign on working.
Handing out corporate phones doesn't solve the problems because they are expensive
Isn't the cost for a usable phone for MFA going to be £50 to £100 unit cost with something like a 3 to 5 year lifespan issued with a PAYG sim and just updating itself through wifi, logged once onto the asset register, them once off of it for end of life disposal? That's no more expensive than some office chairs.
This isn't a BYOD scenario, it's for MFA, maybe outlook/teams.
My work phone was even cheaper than the above, the cost was already sunk providing a phone to the previous employee that has it.
I know somebody has already mentioned it but your IT people really need to get single sign on working sacking.
FTFY.
I deal with this at my work, in our small team of devs 1 doesn't own a mobile and one doesn't want to use their personal mobile for MFA. Both have been offered cheap works mobiles to use instead. It's not hard.
See - its not just a "me" thing -)
I think if I felt the way that TJ seems to think about my workplace I'd find a different one - I can't stand to do a job I'm not interested in, but conversely if I am interested in it I don't mind thinking about it.
Whereas I and others on this thread like a hard barrier between work and home. the two remain totally separate and thats the way I like it.
If you look at the thread its not just me. Others have the same stance. to me its much healthier this way
By the by; Access to the NHS email account now requires MFA if you log in via the web-page.
And where I worked using personal phones for anything work related was completely banned. I have no issue with MFA or any other security things. My issue is with using personal devices for work.
My issue is with using personal devices for work.
This is not about using a device for work though. No actual work would be done on the device. It would be different if you were expected to make and receive work calls on it or send and receive emails as both of those could arguably incur charges or at the very least use up some of your paid for allowance. This has negligible cost apart from the amount of battery used for the few seconds it takes to tap the MFA prompt (I’ll bet you would have no problem charging your phone at work anyway and your employer wouldn’t mind). It’s simply using the device as a key for convenience, nothing more to it. Sure you can object and insist you are supplied with a phone but this would be more of an inconvenience to you than them. Most people would see this as just being difficult for the sake of it.
This is not about using a device for work though
Tbh, I think you're missing TJs point about what a clear break 'is' between work and not work. If you are using your personal phone for MFA to access work systems for "some" people (myself included) that crosses a line which I'm healthier not crossing. And it makes zero difference whether you think that's daft or not.
Your personal experience is your own, I personally am way way over at one end. Way over at the other end others I know are happy to be checking emails during an evening meal at home with their family on a BYOD set up.
Ignoring how someone feels about something, does not stop them feeling that way. For the relatively tiny (especially when there's already a large recruitment HR/Admin cost to every employee) investment it cost my employer, it's a no brainer for them as the return is a happier more productive employee. Although as this thread is making me think about work it's probably time to flounce.
(I’ll bet you would have no problem charging your phone at work anyway and your employer wouldn’t mind)
You would be wrong on both counts
As above - its about the hard line between work and home
Fwiw, my wife is a lead nurse at an NHS hospital, and is expected to use her own phone for 2FA.
Interesting. Disciplinary offense to have a personal phone in use at work in the hospitals I worked in and people were disciplined for using them.
You would be wrong on both counts
Fair enough then - if my employer refused to let me charge my phone at work and then expected me to use it for MFA I would also tell them to do one and probably look for another job TBH if that was their attitude.
I get the work/home distinction and not wanting work stuff on my personal device but I use the MFA app for my personal accounts. Having my work email listed in amongst them would only remind me about work in the same way as when checking my bank account I see a payment incoming from workco or seeing my key to the office on my keyring. I probably do that more frequently than I need to open the MFA anyway. I would also object to having work emails on my personal phone for the same reasons and in any case it’s blocked and not permitted at my workplace. Anyway like I said employers generally accept that some people won’t want to use their own device for a variety of reasons and will likely provide those people with an alternative solution as they won’t want to cause you any undue stress/anguish.
the two remain totally separate and thats the way I like it.
Fine, but not everyone approaches their jobs that way and it's not necessarily a bad thing if you feel differently. Just something to consider.