Forum menu
I never worked from home - rather tricky when you are a nurse 🙂 thats not what I am talking about
I get it - some of you do not see the need for a healthy separation of work and home. Your choice. I do
key point, it doesn't effect your home life
facts
if you aren't using MFA for your home life in anyway, you are majorly at risk OR you do not have an online presence and prefer to do everything by letter.
If you are using MFA you are adding 1 extra number.. literally, into an app you probably have
it does not cost you
it does not add anything tangible to your data usage
what it does do is not make you appear awkward in any way to the people trying to protect your account, which is for you i hasten to add.... what could i do if i could log in as you? who could i message, what data would i have access to? Whom would you have to sit down in front of and explain how a 3rd party got sensitive information because you didn't appreciate the importance?
what is more invasive to your home life? an invisible app you never have to see until you get prompted to authenticate ONLY when you are working? OR having to transport, keep safe, and charge another device to and from work every day.
the choice will be yours but genuinely why make life more difficult for yourself
I checked with one of my ex colleagues. Nothing has changed in how you use the work computers. They do not use a phone app.
Its a secure intranet I think its called. ( ????) You use a card to log onto the computer ( then IIRC a username and password to log on???) then a username and password to get into TRAK which is were all the sensitive data is. The cards could be shared. You can only get onto the intranet from a work computer but you can get onto the intranet from any work computer
Off duty and annual leave is app based and could be accessed from a personal phone if you wanted to or from the work computer once logged in to it
Now as is obvious I am not hugely knowledgable about this stuff but that is obviously deemed secure enough by the folk that know. No need to use any personal devices or phones to access anything
All that security to access TRAK on a work device including MFA by way of a card and then allow simple username and password access (because you can’t insert a smart card into a phone) on a mobile app which can be installed on a personal and potentially unsecured device. Bonkers.
Was the last thread this weird when people started over dramatizing everything to try and prove a point? There's literally only three (commonly used) options, use your own phone, use a work phone, buy a dirt cheap phone for work MFA only.
I absolutely won't have Teams or access to work emails on my phone, so there's no way I can see that stuff once I've clocked off.
No issue with having MS Authenticator on my phone though. To refuse that would make life harder for myself and - as per the thread title - be spectacularly petty.
You cannot access TRAK on a mobile device. Only thru a work computer. ( which might be a laptop)
off duty and AL is the ONLY thing you can access on your personal device and it has no links to anything else on the system
You aren't going to get an MFA request for work unless you are actually working. So it won't impose on your free time!
What happens if I lose the phone
I think if you're an iPhone user your data is sync'ed to your iCloud account. Same issue arises if you buy a new phone? Happy to be educated if this is not the case !!
I get it - some of you do not see the need for a healthy separation of work and home.
No. You're not getting it. For some people, for some jobs, it is not unhealthy to mix work and home. In fact it can be beneficial. You might not understand it, but you can accept that it isn't necessarily unhealthy when we tell you.
I do understand some are happy to do this. However folk are saying there is no reason for me to want that separation. If you want to do it fine - its your choice. |allow me my choice
However folk are saying there is no reason for me to want that separation.
I don't think anyone's saying that. I think what they're saying is that you already accept exceptions to that separation (alarm clock, uniform, ID card etc), so drawing a line at adding an account to an app you already have is a bit perverse.
re work accounts and icloud backup.. .well they don't, you'd need IT assistance to reregister/re activate after a restore
re work separation.. it isn't separation because it is not invasive unless you go specifically looking for it. Caveat... you could get prompted if someone somehow supplies your username and password without for a login.. which is only a good thing to know right no matter whenever that occurs.. although i cannot remember when i have been prompted for my work account fraudulently...
its literally more invasive to walk around with a piece of paper in your pocket with 6 numbers on it
In work, like in life, it's really important to pick your battles.
Installing an MFA app on your work phone is not a battle to fight, no good will come of it whether you win or lose.
Let's make an example that's a little more extreme, to hammer home the point:
I refuse to have a calculator app on my mobile because I sometimes need it for work.
Or extra extreme
I refuse to have a hammer at home because I use a hammer at work.
What happens if I lose the phone
I think if you're an iPhone user your data is sync'ed to your iCloud account. Same issue arises if you buy a new phone? Happy to be educated if this is not the case !!
Your IT department can reset the MFA so you can register a new device or give you a one time access code if you have simply left your phone somewhere else..
Installing an MFA app on your work phone is not a battle to fight, no good will come of it whether you win or lose.
fortunately everywhere I have worked this would never be an issue as using personal phones for work is banned by policy, is not needed anyway because they manage it security without and again by policy if you need a phone for work you are supplied one
Oddly enough you're not going to be using the authenticator you need to for work purposes when you're not at work because there's no need. You're not at work so why would you be accessing your work email etc.
TJ - to be blunt you retired a few years ago from a job with quite special IT/phone security requirements. You have no experience here
I like to keep seperation don't get me wrong... I flat out refuse certain stuff on my personal mobile as I had to allow admin things like remote wipe etc, from company IT... so that's a firm 'hell no'.
But MFA is just a number generator and you'll already likely be using one anyway.
fortunately everywhere I have worked this would never be an issue as using personal phones for work is banned by policy
Genuine question, do you know what the MFA app is and how it works? I know that may come across as condescending, but it's not meant to be.
I ask as your answers read like you don't understand (or are maybe choosing to ignore) the very real differenced between installing Teams or Outlook on a personal phone and installing an MFA app. The former 2 potentially mean work messages and calls come through to your personal phone, something most people don't want and would be right to push against. The latter is an app to generates some numbers that allow you to access work stuff on a completely different device, that's it, no notifications, no calls, nothing bar 6 numbers that you'll enter into another device in working hours.
I just don't get how this is something to push against.
TJ: The full quote, for context. He doesn’t address the question of whether you have a reason to want to separate work from home. I think everyone would agree that you can want that, and understand why it might be particularly important in your profession. He’s just saying that MS MFA doesn’t impinge on that more than factors you already accept.
I dont quite get the barriers between home and work argument, MS MFA has never sent me a unsolicited pop up, do these people log off or go home on a evening or weekend and never think when am I next in work? how am I getting there? Are my clothes clean? do I need to make a packed lunch, etc, etc
I just don't get how this is something to push against.
Because I want a complete hard separation between work and home. I do not want to use a personal device for anything to do with work. I worked in a culture that expressly forbid this anyway. Making my lunch is for me not for work, I had a com plete change of clothes at work befoire I went home. My ID cards etc were all left at work
I ask as your answers read like you don't understand (or are maybe choosing to ignore) the very real difference between installing Teams or Outlook on a personal phone and installing an MFA app.
To me there is no difference. Its work mandating what I must do with a personal phone. What I do with a personal phone is nothing to do with work. Its either a hard line or it does not exist
What happens if I lose the phone
ChatGPT:
🛠 2. Recovery Options
Microsoft Authenticator has a cloud backup and restore feature (if you enabled it):
-
iOS → It uses iCloud backup tied to your Apple ID.
-
Android → It uses Microsoft account cloud backup.
When you get a new phone:
-
Install Microsoft Authenticator.
-
Sign in with your Microsoft account (the one used for backup).
-
Restore your accounts from the cloud backup.
To me there is no difference. Its work mandating what I must do with a personal phone. What I do with a personal phone is nothing to do with work. Its either a hard line or it does not exist
Got you. And I think, whilst I don't agree, I understand.
To me if work asked me to add something to my personal phone that had zero negative impact on me (and if anything it had a positive impact as I only needed to carry 1 devise and not 2) and has positive impact on work (better security, a cost saving) then I'd do it. I'll hide the app so I don't even see it and only use it when I log in to work.
No-one loses, perhaps bar some hackers.
Even at the basic licensing level however an organisation can allow users to bypass MFA when the client has a certain public IP address or range of addresses
I know I'm splitting hairs (and you're more current than I am), but this is in effect still MFA. It's just a form which is transparent to the user. Perhaps we should add "somewhere you are" to our list of somethings?
In any case, as you say, it's not great practice on its own.
The justification for refusing to use your personal device to generate a code because it crosses some arbitrary hard line about work and home separation is not easy to see. The standpoint that being reminded of work in my own time is not acceptable
... and why would you be getting MFA prompts when you weren't working anyway? Outside of, y'know, someone trying to hack your account.
To be "reminded of work" you'd have delve into your MFA app actively looking to be reminded.
Is there any reason that MFA can't be done via facial recognition instead of an app on a personal mobile?
I didn't say "reminded of work" thats someone elses interpretation not somethingI said
.
Its work mandating what I must do with a personal phone. What I do with a personal phone is nothing to do with work. Its either a hard line or it does not exist
I just want to keep that hard separation between work and home. I do not want work to tell me that I must do something with my personal property. Others think differently.
... and why would you be getting MFA prompts when you weren't working anyway? Outside of, y'know, someone trying to hack your account
Exactly. I may have missed some quotation marks in the original sentence but essentially I meant the user saying “being reminded of work in my own time is not acceptable and the employer must respect this “ is impossible to achieve when some things are acceptable and others not but the employer has no way of knowing which …
I know I'm splitting hairs (and you're more current than I am), but this is in effect still MFA
Technically “Conditional Access” is how Microsoft refer to it. But yeah if you have to use ID to get in the building where the MFA prompts are bypassed it’s still MFA - and also the reason a lot of people here think MFA only applies when working from home; it does for them when their IT haven’t enabled it everywhere!
I just don't get how this is something to push against.
Because I want a complete hard separation between work and home. I do not want to use a personal device for anything to do with work. I worked in a culture that expressly forbid this anyway. Making my lunch is for me not for work, I had a com plete change of clothes at work before I went home. My ID cards etc were all left at work
Crikey, so any text message, whatsapp, email with reference to anything to do with work, you delete? or you simply do not mention work in anyway on your phone?
Well as mentioned, ask work for a yubikey, be done with it, you'll then be carrying something else on your keyring every where you go, unless you can confidently not forget ever to pick it up everyday before work
All that security to access TRAK on a work device including MFA by way of a card and then allow simple username and password access (because you can’t insert a smart card into a phone) on a mobile app which can be installed on a personal and potentially unsecured device. Bonkers.
The cards slot into the top of the keyboards, sticking up vertically. The staff then wander off leaving their cards in situ, because who in the NHS has the time to log in twice multiple times an hour? It would be trivial to yoink one when no-one is looking and cloning cards generally isn't difficult. Now all I need to do is shoulder-surf a password. They're probably all the same anyway.
I was briefly involved in a previous incarnation of this system many years ago over at BDGH (Barnsley), I was sent in to un-**** it after everyone else had failed. I quickly realised that what they had been sold and what they thought they were buying were two wildly different things, it was never going to work. It simply wasn't possible.
Something like Hello For Business would likely fix all this in a heartbeat (no pun intended), but last I looked the NHS was still mostly running on Windows 7. It makes you Wanna Cry.
Is there any reason that MFA can't be done via facial recognition instead of an app on a personal mobile?
that's kind of like windows hello... although its really easy to fool facial recognition.. it can be allowed as primary authentication but authenticator/hardware key is still the top method for actual MFA
I know I shouldn't ask but...
@TJ, If you refuse to take your badge with you offsite how do you get into the locker room to access your locker, similarly, do you have a locker key to allow you to store your clothes etc and to secure the ID badge you have left on site?
Crikey, so any text message, whatsapp, email with reference to anything to do with work, you delete? or you simply do not mention work in anyway on your phone?
Nothing from work was ever on my phone.
I get this is hard to imagine for some of you and I understand different environments are different but I maintained that hard line.
Edit - some buildings had a number pad to access the building,some had nothing. Locker was secured with my own padlock
so you used your own padlock for work? should have issued you one....
This is smart cards and is needed to access the NHS spine for registering patients I believe. People really should not be sharing these, I have seen it and put a stop to it straight away. You can also get tap to log in badges, these are primarily for clinical side staff but a few of my team have these to avoid having to constantly take off PPE etc to log in.
I also have heard stories of senior managers sharing login details with colleagues so they can check on things when they were on leave. My experience is that times really have changed, and due to the high profile hack in 2024 which is still not totally resolved people are much more aware of the impacts of lapse security.
Most trusts I know of are on Win 10 and we have just moved over to Win 11
All that security to access TRAK on a work device including MFA by way of a card and then allow simple username and password access (because you can’t insert a smart card into a phone) on a mobile app which can be installed on a personal and potentially unsecured device. Bonkers.
Just to point out again this was not the situation. You cannot access trak via anything but a work computer going thru the security. the only thing you could access on your phone was your own roster and AL requests
How about this then
we use a 3rd party HR website.. all staff training info, contract docs, leave calendar etc are through that
We enforced MFA on that as it is a requirement.......
Who's getting people mobile phones so that staff can access their own private information and request holidays?
likewise a benefits hub we use....
Sage for our payslips/ P60's etc
All 3rd party systems, all enforced MFA and all solely for the benefit of the employee
Alan - I could tell you horror stories of that sort of thing. We had communal cards for example. All the card did was open the log on screen and did not identify an individual
An earlier incarnation without the cards you could normally find a generic login to the computer ( but not to TRAK) on a post it somewhere on the desk
TRAK was much more secure and just logging into the computer did not get you access to confidential information of any sort. You would then need a different login to get to TRAK, A different one again to get into emails
How about this then
we use a 3rd party HR website.. all staff training info, contract docs, leave calendar etc are through that
We enforced MFA on that as it is a requirement.......
Who's getting people mobile phones so that staff can access their own private information and request holidays?
likewise a benefits hub we use....
Sage for our payslips/ P60's etc
All 3rd party systems, all enforced MFA and all solely for the benefit of the employee
What do you do with folk that do not own a smart phone or cannot use one? - a small % of folk but in an organisation employing thousands there will be some
For my organisation all that stuff could be accessed thru a work computer. Are you saying it could only be accessed on a personal phone?
I assume they badger their managers to print off their docs or something... luckily that doesn't come back to me in IT because it is pretty much the law to have it enabled, without it we cannot certify for various accreditations, and the we can't apply for certain contracts...
Flipside.. guess who would be moaning when their personal data was accessed because they completed a Facebook quiz about their Grandmothers maiden name and gave up their password, and guess who would be moaned at...
They can access the aforementioned portals via any device, as long as they pass the MFA requirements, we do not have any conditional access controls on those portals, so in theory MFA would be required at almost every log in
Hmmmm - open and shut disability discrimination case then? 🙂