Apparently MFA is being rolled out across all NHS mail users by the close of March
Our trust is saying either get a work mobile (which seams a ludicrous waste of money) or use your own personal mobile for the MFA.
Grumpy old man mode
Surly we should be given the tools we need to do our job?
And if not can I now put my iPhone 15 pro Max on my tax return as an item needed to carry out my job?
just get a work phone.
we enforce it at our work
every personal use scenario should already be using MFA , ie for your own accounts, so adding an extra account onto an app you probably should have installed already is not a big ask.
We were taken to court over losses from another company due to one of our employees email accounts being hacked and sending false bank details. This wouldn't have happened with MFA in place then.
Summary: it's to protect you and the company and has no real negative bearing on you or your device
I needed to have some stuff emailed to me at home from the NHS recently. For security they wanted me to use some weird app. I went to register for the app and it wanted all sorts of irrelevant personal info from me so I refused to do it and made them send it to me snail mail
Egress it was called
Having MFA on my own phone is a better solution than carrying two phones around in work hours for me.
If the company I worked for had a history of overstepping the mark in what they expected me to provide in order to do my job, or intruding outside of working hours, then I would demand a work phone.
just get a work phone.
Yeah but every single employee in the organisation having a works mobile phone for MFA? ours is a small organisation but still 4000 employees. £300 per phone = £1.2m for a device to be rarely used. It was only last year they were taken out as a cost saving as coms can now take place via teams
If was only for use during normal working hours I'd just use my personal phone. As has been said, I'd find have two mobiles a bigger pain.
I often work out of a secure room with no smart phones allowed but there is a separate workstation that I have limited email and Teams access on, only both of those need MFA so I have to run out the room to another area of the building and get my phone out of a locker, unlock and enter the code within 30 seconds. I'm sure there's a H&S element to this...
@FuzzWuzzy
in that situation, if the computers are in a secure environment, we would configure the conditional access policy to whitelist that location or those devices. you signing into the PC is one authentication, them being in a secure location is the other meth0d of authentication. to be honest, you having to run out of the secure room is probably less secure
had a little pager like device that gave the MFA code for 30 seconds when you asked it to.
Yeah, I still have an RSA token for one system but for this one they don't want the hassle/expense of managing physical tokens so only support authenticator apps
Just use the MFA on your phone. Being a dick at work makes you a dick, you colleagues will think you’re a dick and your managers too. Being petty over such trivial things will achieve nothing but make you miserable.
Maybe they have decided cheap (£100 max android) work phones for those that really don't want to just stick the details on their private phones is much cheaper than tokens for everyone. For MFA via authenticator I don't care unless they want to use the nasty mess that is Duo. If they started trying to say the device has to be registered, have a policy and capable of remote wipe then I have an issue and they can provide the device. Do you have the option of automated phone call or text message instead?
Doubt you'll get away with claiming tax relief in the phone.
It's not a big deal, install an authenticator app on your phone and link it up, when logging in you put the code in job done. It's not really something to make a mountain out of a mole hill over, depending what system they use it could also go to an email address. I'm also sure you'd rather this than your account be at the mercy of a breach and you losing your job over it? If you're that bothered just request a works phone and have fun carrying two mobile phones about with you.
install an authenticator app on your phone and link it up
Or if you don't want to use that, just configure it to send text to your phone number.
I'm happy to use an authenticator app, because I already have one installed for personal use, but they are other options.
Depending on how it's configured, text or phone call may not be enough, a recent update on our tenant prompted all staff that they had 3 more logins on text/call to setup authenticator, we didn't look into why as its definitely preferred
But seriously this is a bugbear I have too, sadly the last people I trust with my personal data are a combination of big tech and my work.
Neither have your personal data for an MFA code.
If it makes you feel better, my wife already has an NHS supplied mobile phone, she enrolled in MFA and is now locked out of everything because something didn't work properly. Every help desk she calls sends her to another help desk and nobody actually wants to fix it.
You think it's painful for you, I'm the primary NHSMail LA for 90 GP Practices...
Firstly, you only need MFA if you're accessing via Web, not Outlook, or configuring on a new device. Second, MS Authenticator on your personal mobile releases next to no info to us as Admins, just tells me you have the authenticator app set up, less even than you having to have your personal mobile number in your NHSMail profile for SMS auth (and you can hide that to make it invisible to local admins). I have both my works and personal mobile set up on my profile, so I can still get in on the days I forget the works one. I'm not worried about NHSMail/Accenture having access to my number, your mileage may vary.
If your office offer you a works mobile, go for it or ask if they'll provide a FIDO token, as they're the main viable alternative. As someone else suggested, your trust also have the option to create Security Groups and secure locations (ie HSCN, IP boundaries etc) where MFA won't be required. Likewise, if you have one, you can register for Smartcard access to NHSMail which doesn't require MFA via mobile as well - though you will still have to have MFA set up, you don't necessarily have to use it each time.
(Goes back to writing pretty much this exact statement in a way 4,500 Practice staff might be able to understand with the minimum of "What do we do / why do I have to / but what about..."-ery...)
I'm not understanding the problem here. 1. They are offering to provide you with a phone. 2. They are offering to let you use your own phone if you don't want to carry a work provided phone. In what way are they not providing you with the tools to do the job? Your response to that was baffling:
Yeah but every single employee in the organisation having a works mobile phone for MFA? ours is a small organisation but still 4000 employees.
4000 employees is not a small organisation, its 4000 potential data access leaks.
£300 per phone = £1.2m for a device to be rarely used.
But you are ignoring that most people will prefer to use their own phone for convenience, or are already heavy work phone users so have a device. On top of that an authenticator app will run on a £100 phone, especially with the buying power of the NHS if they were to be ordering 4000 devices.
The cost of a data breach is potentially way more than £1.2M; I can only assume its really the MFA you are objecting to rather than the idea of being provided with a phone to do it - worst case ransomware attacks locking down NHS networks not only cost a fortune but risk lives in an NHS setting.
The cost of a data breach is potentially way more than £1.2M; I can only assume its really the MFA you are objecting to rather than the idea of being provided with a phone to do it – worst case ransomware attacks locking down NHS networks not only cost a fortune but risk lives in an NHS setting.
Can I nick that for my comms piece?!
I often work out of a secure room with no smart phones allowed but there is a separate workstation that I have limited email and Teams access on, only both of those need MFA so I have to run out the room to another area of the building and get my phone out of a locker, unlock and enter the code within 30 seconds. I’m sure there’s a H&S element to this…
@FuzzyWuzzy - this is what Smartcard authentication to NHSMail was put in place for. We recommend it for clinical staff working in the local prison/secure units where they can't take mobiles and laptops.
On top of that an authenticator app will run on a £100 phone, especially with the buying power of the NHS if they were to be ordering 4000 devices.
NHS buying power?...They'll cost £800 each then and 'secured' with a ten year no-exit maintenance contract with the supplier! 🙂
. I’m sure there’s a H&S element to this…
Yes, it's being rolled out for us but I work in pathology (specifically bacteriology) where mobile phones are banned on h&S grounds.
Sounds like there's alternatives that or trust should be able to offer suggested above, but it trust haven't offered it, instead making us forego the mobile ban being then into the lab whilst we log into each PC for the first time.
It's not been well implemented tbh.
It doesn’t sound like it should affect me that much.
I duly downloaded the Microsoft app which did as told. Deleted the app after
Isnt using my work laptop on my home wifi or mobile hotspot more of a risk?
Isnt using my work laptop on my home wifi or mobile hotspot more of a risk?
Probably not. They'll have it well configured for security and may well be using a VPN to access the NHS stuff etc. The easiest way to get into any system is to get some muppet user to let you in - eg. by them giving you the password (e.g. giving it to a colleague so they can do something, using the same password multiple places, or by harvesting it in a phishing email).
if your work laptop signs in from an unusual location it could well prompt for MFA anyway
We have the ms authenticator app on our phone. I mean the alternative is an additional device (like a banking authenticator), which we have for something else and is a pain, and/or another phone. Why would you want extra devices, when you can just install an app on your personal phone?
Why would you put anything for work on your personal device?
I work in the healthcare sector and we had a similar thing. It's a lot easier using MFA on your personal phone (Google Authenticator app for me) than using a dongle or a works phone.
You literally have to scan a QR code once, it's not a big deal.
If you really feel the need to flounce about using a personal device for work then take up the offer of a work phone.
why would you make it harder for yourself? having to carry, and charge two devices or such like, or at least a smart card.. when the whole point of the exercise (MFA) is to make your life easier
I'm a firm believer in keeping work and personal separate. I wouldn't be carrying two devices around ( unless mobile working?) the work phone would sit by the device being used for email access and left at work
All of what Poly said.
Our trust is saying either get a work mobile
Surly we should be given the tools we need to do our job?
I must be missing something here. Is the trust saying you should buy a separate mobile and not offering to provide one? That's lunacy if so.
@tjagain you wouldn't be able to do that. you'd need to keep it safe or it defeats the point
if it was valid to leave the second form of authentication by the primary device you log in on, then as an admin, you make the primary device essentially whitelisted. then if that's the case you don't need MFA...
the second form of authentication needs to be kept as secure as the primary (your password, stuck in your head) so on a phone it would be password or biometrically secured
cross purposes. The work phone would be set up with whatever security the employer thought necessary. If its only used for MFA then it never needs to leave your desk if thats where you get emails. If the phone is not secure then thats up to the employer to secure it so yes the phone would be secure but zero need to carry it around and if its only used fror MFA then it would hold its charge for ages. Of course its differnt if you are mobile working but then what are you getting your emails on?
Cougar - "get a work phone" means get one from your employer
you may as well just put MFA directly on the device then, like biometrics or such like. But then you can't work remotely. or you disable access from any location that isn't the work PC/network. Which may not suit ever user so that's extra complex.
regardless, the OP works remotely at times so needs a form of MFA he can use in multiple locations.
SO, he either needs to carry a second device, be it a phone, smart card.. anything...
or add a simple a account on to an app he probably already has installed. it probably would take up a fraction of a megabyte of storage, and he would not be likely to forget to have it on his person and have to make embarrassing calls to IT to get access to do his job.
I literally deal with this attitude on a regular basis, i get the user access, tell them they have to set it up or they won't be working. If they have any issues with that they can discuss it with their line manager who can then arrange to order them an alternative solution at cost to the business
in my head, its not costing you anything, its making your life easier and your job safer. no company data is on your device, and none of your data is in the hands of the company
and regardless of your outlook on things, your line manager remembers when it comes round to pay reviews etc that you made a little drama out of nothing and wasted some of their time
I work for a council in IT and we have just implemented MFA and had all these arguments. Just add it t your personal phone and move on. Stop being picky as at the end of the day the highest likelihood of the NHS getting hacked will be due to user error or a mistake. Think of it as covering yourself. It's also bloody easy to use. If you don't have a smart phone then I get the argument but I would then say get with the programme of modern life. Having MFA on your phone is not the same as having work email on your phone. Give it a bit more time and MFA will be everywhere.
Cougar – “get a work phone” means get one from your employer
If that's the case then the OP is simultaneously arguing against being provided with a work device and not being provided with a work device?!
I genuinely don't understand the beef here. The employer has said they're implementing MFA - which is a good thing - and have offered the employees the option of either using an authenticator app on their own device or on a device the employer will provide. What's Option 3 here, "I don't want to use MFA"? Tough, if so.
I needed to have some stuff emailed to me at home from the NHS recently. For security they wanted me to use some weird app. I went to register for the app and it wanted all sorts of irrelevant personal info from me so I refused to do it and made them send it to me snail mail
Egress it was called
I use that. Secure web-based email with NHS people, which makes sense if discussing private medical stuff rather than having it going through Google/whoever's email servers.
Didn't need much I think, just your personal email address which becomes your Egress user ID. Nothing else in the profile was mandatory I don't think.
