Forum menu
I don't hate my job, or my company, but the work MFA app is on my work phone, and not my personal phone. I would refuse to install one on my personal phone, too - if work insists on my needing MFA, they can provide me with the means to do so.
Fair enough then - if my employer refused to let me charge my phone at work
There is a valid reason for this - PAT testing and liability
Fair enough then - if my employer refused to let me charge my phone at work
There is a valid reason for this - PAT testing and liability
You misquoted me and didn’t include the bit where I said if the employer expected you to use your personal device for MFA and then refused to let you charge it. PAT testing requirement if you use a wall charger is understandable but most phones these days don’t come with one and you can charge it off your laptop/desktop and even the monitor is some cases - all of which will have been PAT tested. Mobiles themselves do not require PAT testing but obviously if your employer prefers that you don’t plug your personal device in at all for whatever reason then they shouldn’t expect you to use it for MFA. That is my point.
It's another one of those low-level embuggerances that ironically often makes things less secure. Like the stupid requirement still in force at some workplaces to change your password every X weeks. All it does means people go from Password17 to Password18.
Yeah, various places I’ve worked had that, including the last place, which was a real pain in the ass, because there wasn’t any real security risk to the information, all it was was registrations of the various vehicles on site, and the location where they were stored.
All of us chose some easy to remember word then added incremental numbers on the end. We might just as well have just used our own names.
If your work doesn't supply trousers, do you refuse to wear your own and turn up in your y-fronts?
Depends on the type of work. Anything that involves stuff getting dirty, I’d expect PPE to be supplied, or an allowance to cover expenses.
There is a valid reason for this - PAT testing and liability
No there isn't.
It's a myth that PAT is required in low-risk environments (or indeed at all, really), so this is wrong I'm afraid. The law requires an employer maintains and monitors electrical equipment which has potential (ho ho!) to cause injury. PAT is simply a method of demonstrating that they've done this. Some bloke in hi-vis running round putting stickers on things is a money-making racket.
Look, let's put this to bed.
There is a difference between "using your phone for work" and what we're discussing here. I have always agreed with TJ here in keeping work/personal separate. I learned this one the hard way 25 years ago when I started getting calls on my personal number from work colleagues on a Sunday morning wanting help with their home computers. It's something I've always pushed back hard against.
If by "using your phone for work" that means accessing internal systems then any security-conscious organisation should be pushing security policies to your phone, potentially overriding your own access rights. This - obviously - will be a big "no" for a lot of people.
BYOD was an ill-fated scheme pitched under the guise of letting users work on their preferred platforms, but the reality is that it was a cost-cutting exercise. It turned out to be a wholly predictably ****ing stupid idea because any expense saved in hardware was more than surpassed by IT and Security trying to manage piles and piles of random esoteric largely-uncontrolled shit.
But that's not what this is, at all. Using your phone for MFA is adding an additional entry into an app you really should already have installed and be using for your own accounts. That's it.
If instead the OP's question had been "my boss has asked me to put IT's phone number into my personal phone's Contacts just in case everything else goes tits up and I can't access any work systems" would we still be having this conversation? It's broadly the same principle.
(... do people really not get work phones as standard issue these days?)
(... do people really not get work phones as standard issue these days?)
No. We have laptops with teams installed. If we want to install teams on our own phones, that’s up to us.
Personally I agree completely with people not wanting to be reminded of work when they are not at work but there has to be some pragmatism about it, if you wear a uniform you’ll get reminded when you wash it, if you have a company van parked outside, if you have an ID card in your wallet etc etc so practically it’s impossible to remove all references to work from home. Using the work/home distinction as the sole basis for refusing to use MFA on a non work branded app you should already have just seems inconsistent to me given it doesn’t suddenly scream “work” at you every time you pick up your phone - especially when compared to other more intrusive daily reminders as per the above. You can even hide the app if you’re on iOS (possibly on Android also?).
Some of the objections given further up though were based on assumptions that were incorrect:
- Work will have access to my phone - incorrect
- I will have to sign up for a Google/Microsoft account - incorrect
- I will have to buy a smartphone - incorrect (no reasonable employer would expect this).
Work can’t force you to use your own phone as a key - it’s convenient for you though. I have a work phone. I would refuse to use my personal phone for anything work related that involved actual work activities - email etc but having MFA on it as well as on my work phone makes things easier for me so I do it. I am not once reminded of work when I use my personal phone for anything.
We enforce MFA, not every employee gets a phone as standard. Anyone who doesn’t want to use their own phone would get one provided - it’s a small relative cost and not worth arguing over.
If we want to install teams on our own phones, that’s up to us.
Massive security risk unless you are forced to install a work profile on your personal phone so it can be wiped remotely. It should be actively blocked.
There is a valid reason for this - PAT testing and liability
No there isn't.
It's a myth that PAT is required in low-risk environments (or indeed at all, really), so this is wrong I'm afraid. The law requires an employer maintains and monitors electrical equipment which has potential (ho ho!) to cause injury. PAT is simply a method of demonstrating that they've done this. Some bloke in hi-vis running round putting stickers on things is a money-making racket.
When you employer mandates PAT then you cannot charge your own devices
If instead the OP's question had been "my boss has asked me to put IT's phone number into my personal phone's Contacts just in case everything else goes tits up and I can't access any work systems" would we still be having this conversation? It's broadly the same principle.
Yes because the same applies - what happens if you do not have a mobile phone and it still breaches that hard barrier
We enforce MFA, not every employee gets a phone as standard. Anyone who doesn’t want to use their own phone would get one provided - it’s a small relative cost and not worth arguing over.
Which is the correct way to do things
I will say up front that I skim read a lot of the comments after the first 30 or so and, as such, I apologise if what I am about to say has been said before.
TL;DR: I work in cyber, have done for over 20 years and what I do is focussed on protecting users and information within big and complex IT environments. Currently that means a userbase of about 40k people.
MFA is _the_ single easiest and best way to protect your on-line accounts from being taken over. I would rather _any_ MFA is used by my users than none, but I have a clear preference for something that is stronger (and less likely to be intercepted) than an SMS, something that device certs/WindowsHfB, FIDO2 or (Google|MS) Authenticator fits the bill for. I see evidence daily of password sprays and brute forces and, without the "something you have", guessing a password means that account (or indeed any account using that username/password combo) can be taken over and either stripped of personal information or used to spam/phish other people. My advice when training is that adding MFA (again, I don't care what) to every account that supports it is _the_ best way to retain control of those accounts.
The challenge I see with a lot of companies that have been pwned is that they use a cheaper form of MS licensing that may not allow for a lot of thew features I rely on. Device management, integrated EDR and Conditional Access give me a lot of flexibility in how my users can work and in what circumstances. It might allow me to give full access to systems when a user is using a corporate/managed device on the internal network, but limit their access to just M365 when they log in on a personal computer from home, or to block access to everything when they are out of the country.
I saw someone mentioned phishing earlier and how it's a technical problem and not a person problem (paraphrasing slightly). I disagree. It is a problem. Technology can only do so much to address the problem and attackers evolve their methods all the time. User education/training and engagement is _essential_ to combating this; you cannot rely on just technical means.
As an example: You get a mail from someone you know, written in English, possibly replying to a mail you sent to them. It contains a link to a document hosted on their Sharepoint with the request that you review the document. DKIM, DMARC and SPF all come back passed, headers match their mail server and the mail signature is theirs. BUT WAIT!!! The document (hosted on their Sharepoint in their folder) they sent you has a link in it and, when you click that link, you come to a login prompt for _your_ Sharepoint and, because you trust the sender you enter your passwo.... oh no.
No MFA means that your leaked password can be used to make you the next link in the chain. Then your IT department will get calls from the people in your address book asking if you have been hacked and maybe ICO will have to get a GDPR disclosure for the info that was on your Sharepoint.
Dammit. That turned into more of a rant than I wanted, but it's a Monday and I have a lot of work ahead of me. In summary: Use MFA everywhere you can, have separate passwords for work and personal accounts (and make them long, but easy to remember) and work with your IT department to make your place of work safer for the whole company (and give the 'me' in your office a slightly easier life).
depends who you work for and what you do but increasingly no; part of the reason for that is many employees don’t want to carry two devices around so would prefer to use their own phone.(... do people really not get work phones as standard issue these days?)
TJ, as usual, is showing the crazy side of unions - people who would spend their time arguing about hypothetical staff who don’t own a phone being able to login to a system (where there probably is a “have this brick from the bottom drawer solution” available) whilst real issues go ignored - like the vulnerability of employee (or patient/customer) data because using industry standard practice might cause a theoretical inconvenience to someone who enjoys making a fuss about stuff. He is of course living in a career bubble where there was a shortage of nurses and so you could get away with being a bit of a dick and still survive. Arguing the toss over this sort of thing is unlikely to advance your career.
depends who you work for and what you do but increasingly no
The reality is that work used to give people better tech than their own personal kit, so everyone was keen to get a phone, laptop, etc. That's not so much the case these days - work equipment is often more utility than our own stuff and usually more restricted in use.
If I didnt want to use MS MFA I could go to the office and use the office network or a LAN cable, but I like being at home and use MFA for other sites so I just use it.
I dont quite get the barriers between home and work argument, MS MFA has never sent me a unsolicited pop up, do these people log off or go home on a evening or weekend and never think when am I next in work? how am I getting there? Are my clothes clean? do I need to make a packed lunch, etc, etc
Work didn't provide me with fibre broadband to WFH with. Or a chair to sit on in my "home office". Could go on etc etc.
Having the MFA app on my phone (despite it being an absolute crock) isn't really a big deal. It's just a magic number generator. Whatever.
End of day. It's generally good to avoid making yourself look like part of a problem TBH.
Other opinions exist.
@willard very well described, this is essentially one experience we had prior to MFA, the 3rd party then impersonated the victim (new email address, 1 character difference in the domain name or something) and sent emails relating to a legitimate subject and set up invoices for stuff the company had bought from us, the other company then paid the hacker..... they blamed us, even though it would've been due diligence on their side to check email addresses and question change of payment details...but ultimately, MFA would have prevented the 3rd party from sniffing our employees emails...
If I didnt want to use MS MFA I could go to the office and use the office network or a LAN cable, but I like being at home and use MFA for other sites so I just use it.
If work have set it up properly, then no, you really couldn't. As others have stated many times, MFA is about proving that it is really you that is logging on. And that shouldn't be affected by where you are logging in from. I still get MFA prompts whether I am working from home or am in one of our corporate offices. And that's the way it should be. [And to those in the know - yes, I am aware that for some cases it really does matter where you are logging in from but I feel that's not relevant or pertinent the main discussion here 🙂 ]
I already have a 2FA app of my mobile. As has been mentioned, it generates a number. I generally refuse to install apps on my phone but no problem with this, and no problem using it for work purposes as it is just a number generator. There is no network connection for it. It's not made by Microsoft. Superior to text messages.
When you employer mandates PAT then you cannot charge your own devices
You absolutely can, either use an existing USB outlet or bring in your own charger to be tested on the day Stickerboy comes round.
Yes because the same applies - what happens if you do not have a mobile phone and it still breaches that hard barrier
OK. Write it down in the paper address book you keep next to your landline?
just for you cougar
Poly - its nothing to do with unions or anything like. Its two things - one is thinking of those that do not have smartphones ( and several folk responsible for this stuff have said its no issue) the other is about having a hard barrier between work and home. Again something others have as well.
At my workplace having your own mobile in use when on duty is a disciplinary offense and so is plugging anything into USBs cougar 🙂
At my workplace having your own mobile in use when on duty is a disciplinary offense
How the actual **** are you expected to use it for MFA then? Do you suppose, just suppose, that organisations requesting that employees use personal devices to generate codes might allow the use of personal devices?
and so is plugging anything into USBs cougar
That shouldn't be a problem. If they don't want you plugging things into USB ports then those ports should be disabled by policy.
Also, these exist:
Though within an organisation I'd expect structured cabling. More like:
I dont quite get the barriers between home and work argument,
There isn't one.
Just because you do not see it or understand it does not mean there is not one. I am not the only person on this thread to have this position. I never mix work and home in any way. My work was extremely stressful and upsetting at times. Having that hard barrier is one way of preserving mental health.
How many people, who use a laptop for work, don’t have smartphones?
A quick google says the lowest working age user group of smartphones are those 55-65, and that’s 93%. From 16-54, it’s 98% plus, increasing as you look to younger workers. That’s everyone, not just laptop workers.
Not unreasonable to assume someone would have a smartphone really.
How many people, who use a laptop for work, don’t have smartphones?
A quick google says the lowest working age user group of smartphones are those 55-65, and that’s 93%. From 16-54, it’s 98% plus, increasing as you look to younger workers. That’s everyone, not just laptop workers.
Not unreasonable to assume someone would have a smartphone really.
Have you met old engineers before?
I work with a few people who were to scared to have a laptop 🤣
If they don't want you plugging things into USB ports then those ports should be disabled by policy.
And if they were they would still provide power. We have all USB devices blocked but I can still charge my phone from my laptop. I just cannot access any part of its file structure. .
I don’t think anyone is not agreeing with the work/home distinction but rather, finding it hard to understand that MFA goes against this as the reason given is looking at the app icon on the phone is too much to bear. Perhaps I’m missing something but how does a seeing an app icon differ from say, ironing your nurse’s uniform.
Just because you do not see it or understand it does not mean there is not one. I am not the only person on this thread to have this position. I never mix work and home in any way. My work was extremely stressful and upsetting at times. Having that hard barrier is one way of preserving mental health
That, with this I am with TJ. We used to have people who wouldn't use our satellite phones because they were convinced they irradiated their heads even though they used them once a month compared to being on their mobile phones permanently. Same with people I know who needed us to switch off the wifi when they were in the room even though there were at least 30 stations nearby on the same frequency bands that were on permanently. My snowboard instructor used to make me imagine picking money off a tree and then putting it in my pocket when making a turn. What is technically going on and what you actually do to make things work for you don't need to be the same unless they are massively at conflict and here they aren't. How you visuallize things is important
oceanskipper - its either a hard line or it does not exist. You accept the work / home distinction. This crosses that line for me. I never ironed a uniform BTW 🙂
Yes but my point is just using an arbitrary example. Does the alarm going off in the morning to remind you to get up for work not also cross the hard line? It’s reminding you about work when you are not at work.
I’m not expecting an explanation either. It’s your boundary. No need to explain it but you can surely see why it’s not that easy to understand. In my mind there is no difference between a phone app and hundreds of other things that remind me of work when I’m not actually at work. You say there is and that’s fine. I just don’t get it, which is my failing, I don’t have the work stress many people do so I may never see the reasons why one seemingly innocuous thing is more of a trigger than another. 🤷🏽♂️
Oh, and if you worked in my organisation you would have a phone provided if you wanted one!
At my workplace having your own mobile in use when on duty is a disciplinary offense
Given that the NHS both require you to use MFA and instruct people to use their phone to host it, this isn't true any more
Times have changed a lot in the NHS over the last few years. There was a historical badge of honour in being terrible with IT because it was someone else’s job.
It’s now accepted that it makes people life easier and when people get some flexibility they accept it can go both ways. We now have relatively junior grades (band 6 and 7) working remotely however if they demanded a work phone for MFA I would just say sorry I can’t provide that so you can be onsite every day. These are roles that 5 years ago would have been 100% onsite. We do provide a laptop or Remote Desktop but if we had to start shelling out for phones as well it would be a no.
things like requesting annual leave are now done via an app, you could refuse to use it and wait until you are onsite and use a hospital PC but some days/periods are first come first served and that might mean requesting next summer/xmas over a weekend and if all your colleagues are happy to do that they will benefit.
I don’t use my personal phone for emails or teams and only 1 or 2 colleagues would contact me in an emergency and that’s fine because when you have to deal with a big problem when you come back you would rather give advice on how to fix it to other people than walk back in on a total mess.
A lot of it is down to roles and responsibilities.
In Lothian? I'll check with someone who works there. Given that would require a major change to policy to do so I have my doubts. Is that for remote workers?
Oh, and if you worked in my organisation you would have a phone provided if you wanted one!
I would have no issue with that. I had in one job. That phone never came home with me.
Alan - I was actually a "superuser" for our IT systems ie local point of contact for folk who had difficulty working the system. annual leave etc was done on line decades ago for us
annual leave etc was done on line decades ago for us
Electronically - yes. On line, decades ago - I very much doubt it.
should have been "more than a decade" - apologies.
"more than a decade"
Via an app or website that can be accessed anywhere? Again, I doubt it as all your HR info would have to be being stored offsite, unless your employer was offering RDP access to every employee at huge cost and personally, never mind work/home boundaries - I’d have made a massive fuss about the likelihood that all my personal data would go walkabout. Who supplied the PC/laptop for you to access it? Presumably you refused to do so on your personal one and an app (unlikely again even a few years ago never mind a decade) would be out of the question also.
Just because you do not see it or understand it does not mean there is not one.
I understand it better than you do (tricky concept for you I know) and many others posting here know more than I do, all of whom you said you'd listen to. There is not separation in the specific context of the post I was replying to.
Ie, paraphrasing, "I don't need MFA if I'm in the office." Bullshit you don't. You need MFA whether you're at home, in the office, in Romania* or on the Moon. (Though I'd have geolocked out those last two without a prior request anyway).
We can all say it together if you like: Passwords. Alone. Are. Not. Fit. For. Purpose. This becomes especially pertinent when all your data is in the cloud (hah, just ask Salesforce) - it doesn't matter one jot where -you- are. I don't need to hack your laptop to pillage your data, it's not the 1990s anymore.
You can argue all you like about work/life separation and I will agree very strongly with you on most points, but you cannot argue about MFA. It really is (you'll like this bit) that black and white. Corporate Wi-Fi isn't going to protect your M365 tenant if the only thing between you and a password-spraying external attacker is "Ronaldo7!"
(* - no offence to Romania, it was the first overseas country that came to mind).
Work in cyber security and data protection for over 25 years.
Not using a private mobile for MFA is petty and puts the organisation and you at risk.
If you are happy to work from home on your own Internet connection, In your own house, in your own room, sat at your own desk, using your own chair, using your own kettle? Yet object to using your own Authenticator? Well I am sure (possibly not) see the contradiction.
"I don't need MFA if I'm in the office."
To be clear for those where MFA is bypassed in the office there are conditional access rules that can be applied and depending on your level of licensing with Microsoft they can control and mandate all sorts of things. They can enforce additional security like 6 digit PIN numbers on both the device and a separate one on the app itself. They can enforce a minimum OS level, block jailbroken devices, block browser access entirely on the device and force use of the app. Block access from anywhere outside the UK. The list goes on. Even at the basic licensing level however an organisation can allow users to bypass MFA when the client has a certain public IP address or range of addresses. Organisations often used this to allow access in the office without MFA based on the fact that in a lot of cases an additional layer of security was already present ie gaining access to the site and needing an ID card or simply everyone would know if a stranger came and sat down and started using a computer. These days bypassing MFA in this way is not considered best practice and even mandated if you want to obtain certain security accreditations. As a result MFA is now being enforced everywhere in more and more places.
The justification for refusing to use your personal device to generate a code because it crosses some arbitrary hard line about work and home separation is not easy to see. The standpoint that being reminded of work in my own time is not acceptable and the employer must respect this is impossible to accommodate when there are so many other things which also meet this definition: seeing your salary go in, being woken up specifically to get ready for work, wearing certain clothing for work and then washing it, seeing it in the wardrobe, etc etc. I have yet to be presented with a reasonable argument that shows a distinction between these things; people insist it exists but offer no explanation as to why none of the other reminders cross this hard line. It makes it impossible to then consider offering an alternative solution which does not infringe these personal boundaries.
No organisation, when issuing ID cards for example, considers “what if people refuse to take them home because it will remind them of work?” . They don’t need to because no one does.
as mentioned above
MFA will be enforced no doubt
you can decide you do not want to set up the mfa account inside your authenticator app
the alternatives would be a corporate issued device
a company mobile would no doubt be put under management itself so you'd essentially have something awkward to carry any time you needed to work anywhere, and of course you canst use it for anything else as you're not mixing work and home lifes......
or a Yubikey, on your keyring, i have actually got one of these for absolute emergencies at an admin level, in case the world burns type thing, i loathe having to keep it safe.. i don't want it on my keyring as it's more important than my keys.. but technically i should have it near me at all times
Also, you cant be leaving these things on your desk... that's not how it works, we have even talked about making it mandatory for staff to take their laptops home with them....how's that for mixing work and home? i drive every day and i don't want to do that