well i need a work device then
Hand over a FIDO key and get going (price about £25 a user for large purchasers like the NHS).
As an aside my personal phone is mine and will not be used for work regularly (to help me out very occassionally yes). Would those advocating personal phone use for work also allow their bikes or cars to be used un-recompensed?
@tjagain, is spot on. What might be logical and easy for some-one with IT experience is much less so for say; a Practice Nurse who’s nearing retirement and has only just got to grips with following templates to input patient data (one of my staff). Start those guys off with needing MFA and you’re onto a loser.
MFA does not need to be complicated. If its complicated enough to be a problem for someone who has managed to learn to stick needles in someone then its being taught/demo'd/rolled out wrong. A more extreme view would be that anyone who is so technphobic to use the systems and tools provided, with the training a typical user needs - then maybe they no longer have the competence needed for 21st century nursing.
But again, this isn’t an individual’s issue to solve, and again @tjagain is right here, just because an organisation has deemed MFA as the way forward does not automatically mean that individual workers can comply with it. If they can’t, for whatever reason, then the organisation needs to come up with an alternative that the employee can use to do their job, not the other way around.
But I don't think anyone has described a situation where a typical worker cannot comply? There will be specific departments like a microbio lab where phones are never permitted where a solution will be required. 90% of people who find a reason why they are special - will infact be making an excuse because they don't want change.
So it turns out our IT Dept dont fully understand the MFA. I've have 3 versions of the truth today.
Ive now scrapped the MFA app and will just receive text messages for the authentication.
How do they know my phone password is robust enough to stop spies accessing it? I always set my phone password to 0000 which I am sure someone could work out.
@FunkyDunc - they don't need to know that your passcode is strong enough. There being a passcode on the phone means that it's encrypted at rest properly, so if you phone's nicked someone can't just pull any data off it without unlocking it. That you choose a poor passcode is your own lookout!
@Sandwich - re: "Would those advocating personal phone use for work also allow their bikes or cars to be used un-recompensed?" - that's a false equivalence. There is no cost to me for having MFA on my personal mobile - having the app costs me nothing, downloading it over works guest WiFi costs me nothing, receiving a code via the app costs me nothing, receiving a code by SMS costs me nothing. I don't have to have specific business mobile insurance, there is no wear and tear on my mobile from work usage, I can charge it at my desk so there's no fuel cost. What is there to recompense?
I don't have my works email on my mobile, I don't use it for works messaging or calls (we have Webex and Teams for those), but I have no problem with having my MFA on my personal mobile.
But I don’t think anyone has described a situation where a typical worker cannot comply?
I think @FunkyDunc has said that he cannot have his phone (with the MFA) near his work-station that has access to his email. But I see it from both the sides that @Pyro and @tjagain are saying. I've just been through some training on booking remote blood tests, just finding and choosing drop-downs can cause confusion for folks that aren't tech savvy or are genuinely scared that they'll do something that will cause it to break, or loose info. It's very much akin to a phobia for some folks.
Pyro - as regards the usage of a personal phone for this - IMO its blurring the line between work and home and making it so that you need your personal phone to work. Its an ethical / boundary issue for me whilst its a practical issue for you. Just a different way of looking at things
I always kept a total wall between work and personal - never mixing the two at all
I always kept a total wall between work and personal – never mixing the two at all
That's absolute fair, and its practically no different from some-one saying "I don't have a smart phone" If the problem was that, IT folks wold find a solution, so it should be the same for folks who don't want to use their personal kit for work.
I always kept a total wall between work and personal – never mixing the two at all
And this is where this thread started for me.
I've had pressure before to join whats app groups for work and refused.
It will however be interesting in some areas where we have no mobile phone reception and i need to logon to the NHS network.
I think @FunkyDunc has said that he cannot have his phone (with the MFA) near his work-station that has access to his email.
No I can, its just the principle of having to use my own personal device to do a work task. As I said originally will be an interesting test to do a tax return and put my mobile phone cost down as a business expense.
i would imagine given the choice
a- here's this gizmo, you must remember to bring it with you every day you work, if you lose it or leave it at home you cannot work without an awkward convo with an IT department. Also, when you aren't working you must leave this device somewhere safe where you don't lose it or forget it the next time you work. granted it could be on your keyring, but then aren't work imposing by not providing you a separate keyring?
b-use the thing that's in your pocket everyday and will not lose it because its yours, its your pride and joy , a lifeline, and more important to you than something your work gave you which is an inconvenience to take everywhere in case oyu need it.
There being a passcode on the phone means that it’s encrypted at rest properly, so if you phone’s nicked someone can’t just pull any data off it without unlocking it.
Not if you're using SMS for MFA - if I have your phone all I need to do is pop the sim card out and into a cheap feaure phone. I can then read any SMS intended for you. If I'm good at blagging (and lucky), I just ring 02, tell them I'm you and I want a PUC code, shortly afterwards SMSs sent to your number come through to the PAYG phone sat on my desk I bought from the corner shop with broken CCTV this morning.
Some of the many reasons that SMS isn't a good form of MFA.
this is true, but actually gaining access to your phone in itself is one form of authentication if you like
in reality the culprit needs to know your password and steal your phone, only likely to happen in a breaking and entry situation or a colleague up to no good. Although most (Men at least) people don't tend to go away from their desk without their phone at least most of the time
Without MFA all a bad guy needs is your password, anywhere any when...
As an aside my personal phone is mine and will not be used for work regularly (to help me out very occassionally yes). Would those advocating personal phone use for work also allow their bikes or cars to be used un-recompensed?
Have you ever had work provide you with a car or bike, somewhere to store it and full costs of ownership?
If you have where do you work?
Pyro – as regards the usage of a personal phone for this – IMO its blurring the line between work and home and making it so that you need your personal phone to work. Its an ethical / boundary issue for me whilst its a practical issue for you. Just a different way of looking at things
I always kept a total wall between work and personal – never mixing the two at all
Likewise, if you couldn't walk to work did you demand that they provided you with transport? I mean, you wouldn't want to use your own bike for commuting on would you?
its practically no different from some-one saying “I don’t have a smart phone” If the problem was that, IT folks wold find a solution,
They did. SMS doesn't require a Smart phone... 😉
Have you ever had work provide you with a car or bike, somewhere to store it and full costs of ownership?
Yes - most NHS community nurses are provided a car at zero cost to them. I had one for the few months I did this. You cannot use it for personal use obviously. I cycled to work, picked up the car and worked all day, dropped the car off at the end of my shift
Responding to both TJ and FunkyDunc
And this [separation of work and life] is where this thread started for me.
I’ve had pressure before to join whats app groups for work and refused.
I'm with you on that. I wouldn't join a work WhatsApp. I'm not friendly enough with or interested enough in my colleagues for that to be somewhere I'd go! And I completely understand wanting a hard division, but - maybe because I have a different understanding of the technical side - I don't see having my MFA on my personal mobile as breaching that division.
It's more convenient for me to have a single device, rather than have to carry a second one around because it's not appropriate to leave a works phone on my desk. No-one can contact me through my personal mobile, I've not given the number out to anyone, I've not breached or compromised my own privacy by having my MFA there. I use Outlook on my works laptop, or have Smartcard access to NHSMail if I need it, so the times I have to use MFA are very minimal. On the basis of that, I'd feel like a right bellend if I forced the organisation to buy me a works mobile just because I objected to using my personal one to receive an SMS once in a blue moon.
And assuming I stay in the NHS, if I move organisations my NHSMail account comes with me, so I don't have the hassle of getting a new works number, having to move my MFA to a new phone etc.
I guess I understand the ethical division, I just don't necessarily agree with the application of it completely. There's multiple ways to skin a cat, and I feel like I'm going for the one that involves the least amount of me getting scratched, while I and other IT colleagues also work on an appropriate sedative for the b'stard thing...
Likewise, if you couldn’t walk to work did you demand that they provided you with transport? I mean, you wouldn’t want to use your own bike for commuting on would you?
Commuting is not work in works time nor their responsibility. Not an analogous position at all.
Commuting is not work in works time nor their responsibility. Not an analogous position at all.
No, because in this case you're using your own phone at absolutely no detriment to yourself.
I get arguments about work/life balance and a right to disconnect, I'll support any and every initiative that supports that. Installing an authenticator app is not that. Your argument is more analogous to being issued a site pass that you're expected to keep safe and then demanding the company provides a safe to keep it in outside of your house.
Would those advocating personal phone use for work also allow their bikes or cars to be used un-recompensed?” – that’s a false equivalence.
It really isn't, smartphone batteries have a finite life and virtually no resale value, they cost money to run. It may not be much weekly compared to the depreciation on a reasonably good car but it's a cost. I work to live not the other way round.
Like many on this thread, I just don't really understand the belligerence to using your phone for MFA - if it's appropriate. If you are working in spaces where you can't take your phone or it's not accessible, then the MFA programme should have done their job properly to provide an alternative such as a YubiKey (other security devices are available) or something like an infiniband if the workplace doesn't like things that look like USB drives. People that cite "not wanting work to have access to my data" is just ignorance and are using to try and justify them not installing an app. As toby mentioned - you should not be using SMS at all. Sure, it's slightly better than not having any MFA at all, but barely. I believe there are at least a couple of Govt departments that have banned SMS following one or more incidents with SMS last year. It's fundamentally about increasing security and making it harder for your account to be hacked. I wonder, of the people against it, how they would feel if their company got compromised via their account because they refused to accept MFA? I know that their account compromise wouldn't be the sole reason the company got compromised / hacked / ransomwared and that IT would have a lot of questions to answer but by refusing MFA you are creating an opportunity that can be removed.
bikingcatastrophe - for me its two issues - the hard cutoff between work and home and that work should provide what you need to work
Work is work, personal is personal and never mix the two
How do they know my phone password is robust enough to stop spies accessing it? I always set my phone password to 0000 which I am sure someone could work out.
The point of 2FA/MFA is not to make it impossible for someone to find a way into a system - just to make it much less likely. There are two types of common "misuse" that IT are trying to mitigate:
- someone you know, who you have told your password to or who knows you enough to guess your password, who then for malicious reasons accesses the system and is purporting to be you.
- someone you don't know who is probably on the otherside of the world, who either brute force hacks your password (but they should be able to mitigate that), tricks you into revealing your password (e.g. a phishing attack), or has got hold of a password list from somewhere else with shonky security and you use the same password "everywhere".
The latter one is much more common and much higher risk. Phishing attacks are becoming every harder to spot (to the extent I've reported a few false positive from companies that should know better!).
The idea of MFA is to prove your identity you provide (1) something you know (your password) and (2) something you own (the code from the authentication).
It can virtually eliminate the risk from the second type of attack. The former relies a bit more on you (a) not telling people your password; (b) not leaving your phone lying around unlocked/near people who know its code/can guess its code. If that happens the impact is likely much less, and as it will appear YOU are responsible will be more painful for you than them!
The problem with tokens (I know this from experience) is that they are a pain in the arse to manage. Yes they are cheap but are surprisingly hard to get hold of in large numbers, people lose them all the time and the only people that can add and administer then in Active Directory are the highest level admins. We only have two of those in an organisation of 5000 and they are the ones with complete god power so they are busy enough doing other things then administering tokens.
When it comes to MFA via SMS and telephone call, many suppliers are not deeming this secure enough. Salesforce for instance only allows a token or an authenticator app.
Dishing out smartphones isn't just about the cost it is also about keeping them updated with the latest OS and having to carry around two phones, one just for the authenticator) is a pain in the arse.
The easiest thing is to use the biometrics on a laptop like the finger print sensor or Windows Hello, but that potentially means a roll out of new laptops.
If you have a personal then I see no reason why you shouldn't be forced to use it. I don't charge my employer for the chair or desk I use when working from home or the pens and notebooks I use. Life is too short and work is a two way thing, its not just about taking from your employer.
smartphone batteries have a finite life and virtually no resale value, they cost money to run. It may not be much weekly compared to the depreciation on a reasonably good car but it’s a cost. I work to live not the other way round.
Jesus wept, did you turn up naked for your first day so you didn't wear out any of your clothes?
You do realise you've just outed yourself as THAT PERSON? The one that bitches and whines because their duties change slightly and they WILL NOT do whatever it is they've been asked to do without extra pay as its not their job. Not that they ever find time to do that either but, you know, it's the principle of it.
work out of a secure room with no smart phones allowed but there is a separate workstation that I have limited email and Teams access on, only both of those need MFA
No need, contact IT support, tell them the issue, and either get them to remove the need for MFA on that station (because you can't), or organise it so that you can use your smart card (if you have one) or get them to install Outlook on it and get NHS mail that way. problem solved (or made some-one else's)
There will be specific departments like a microbio lab where phones are never permitted where a solution will be required
Yep. I've already posted this but that's me and my department. The solution is to forgo the health and safety rule and allow people to bring their phone in to comply with the requirement for mfa.
No need, contact IT support, tell them the issue, and either get them to remove the need for MFA on that station (because you can’t)
You can't remove MFA on a specific device, doesn't work like that. Could temporarily disable on the user account, but that's not helping.
Best option, assuming that machine had a smartcard reader, is to use a PC elsewhere in the trust to get Smartcard auth set up and use that. But yeah, your Trust IT should be advising on this if you explain the situation.
i disagree Pyro, you certainly can reduce or completely remove the need for MFA on a specific device or named network etc
well.. at least the rules in the conditional access policies surrounding MFA suggest it to be possible.
I'm coming from an Entra/Intune perspective at least, where you are coming from may be different
Fair point, you probably can - you could create a security group for that single device - but that's using a sledgehammer to crack a nut. I don't know many Trusts that would do that, it's a lot of work to single out one device when it would probably be more sensible to do it for a whole internal network.
We're trying to get our whole HSCN IP range configured as the boundary, so it would encompass all our Practices, our ICB office, and our VPN subnets, but it's convoluted. Doing similar at their Trust would cover that lab without having to essentially create a single device exception. And again, if Smartcards are in use or they have a FIDO token, there's no need for it anyway.
Many sledgehammer, many nut, many cats to be skinned many ways!
Never thought I would say this but I am starting to feel a lot of sympathy for all of the IT people out there.
Also work in the NHS and at times it feels like there is flexibility being demanded from staff but nothing going back the other way. Can I assume all of the people that have firm boundaries either lock their phone away during working hours or switch them off and only check at breaks?
On another note, since there are some people who seem to know what they are talking about. Our trust has just started a BYOD policy. I have access to a NHS laptop and work offsite regularly but the trust laptop is really not great. I have my own MacBook and access to a VDI. Are there any strong reasons not to use my own laptop for email/teams etc and do patient work on the VDI?
Can I assume all of the people that have firm boundaries either lock their phone away during working hours or switch them off and only check at breaks?
Yup - me when I worked and most of the staff. disciplinary offense to use your phone on work time. People have been disciplined for using their phone when at work
Are there any strong reasons not to use my own laptop for email/teams etc and do patient work on the VDI?
Yes. Patient confidentiality. You may know your laptop is secure but does your employer? Can you prove it? At my workplace doing that without express permission would be a serious disciplinary and I doubt permission would be given
@TJ again, when you say when your worked, can I ask how long ago you stopped?
I don't think you understand my question, BYOD is the trust giving express permission for people to use their own device and access the secure network. They know things are secure because of..... MFA. Outlook, teams, one note etc all are secured and using VDI to access patient records nothing is coming onto my device.
retired 3 years ago
Sorry - I didn't get all the acronyms. With permission its fine ( tho no way would I do so)
Our trust has just started a BYOD policy. I have access to a NHS laptop and work offsite regularly but the trust laptop is really not great. I have my own MacBook and access to a VDI. Are there any strong reasons not to use my own laptop for email/teams etc and do patient work on the VDI?
I'm not an expert on VDI but there's two big NHS organisations near me that work completely that way. As far as I know, if you're working on VDI and all patient or commercial confidential data stays within the virtual machine, then no real reason not to use it. If needs be the VM software could be set up to do a posture check on your device, and limitations can be set on what you can export from the VDI environment, then it's as secure as an enterprise managed desktop. If your Trust is offering BYOD they should have covered off the technical, IG and clinical safety repercussions of that. If you're happy to allow any monitoring they might want on the device, go for it.
I’ve had pressure before to join whats app groups for work and refused.
It will however be interesting in some areas where we have no mobile phone reception and i need to logon to the NHS network.
WhatsApp requires a phone number for setup. It does not require mobile phone reception.
People that cite “not wanting work to have access to my data” is just ignorance and are using to try and justify them not installing an app.
Anyone with half a clue should already have an authenticator app or three installed. Using it for work is just one more account on the list of a dozen. I get wanting separation of work and personal and I'm 100% an advocate of that, I've pushed hard over the years for "give me the tools to fulfil your requirements," but adding a 17th account to Google Authenticator is neither here nor there.
when working on mail, teams , one note etc everything is inside 0365 so I understand that can be viewed by anyone within the trust as its all hosted centrally but can anything else be seen. I am a very boring person so nothing dodgy going on but if I get approached about a new job and I am looking at that in my browser, I think that is separate but am I right? Even worse, if can anyone see I spent a whole day arguing with strangers on a MTB website!
I am not paranoid about privacy but a better understanding of what's private and eats not would be good
VDI permissions are all set so I can't copy and paste etc
We’re trying to get our whole HSCN IP range configured as the boundary, so it would encompass all our Practices, our ICB office, and our VPN subnets, but it’s convoluted. Doing similar at their Trust would cover that lab without having to essentially create a single device exception. And again, if Smartcards are in use or they have a FIDO token, there’s no need for it anyway.
That's not really the ideal way to do it - certainly if you are using Entra / the MS ecosystem. It's a bit like a modern interpretation of the old "castle wall perimeter - network is the security boundary" way of working. The ideal would be using things like risk based authentication decisions by having access to machine heath and compliance as part of the conditional access rules. As we all keep agreeing too, there are other options besides Authenticator. A security token is more secure or you could use Certificate Based Auth (not so easy or flexible to roll out).
It's also not a good idea to be excluding specific machines from MFA. It's a bit like building a castle with 10 foot thick walls but only building those walls on 3 sides of the castle.
It's a big, bad, scary world out there in terms of cyber warfare and threat and it would be handy if those who are not into IT at least recognised that many IT departments are under significant demands to bring security to the company and the decisions are mostly made with the intent to strengthen and protect the company rather than to upset the non-IT literate.
Anyone with half a clue should already have an authenticator app or three installed.
What am I missing here? Why would I need an authenticator app on my phone? What for?
Edit - I don't even have my phone locked
What am I missing here? Why would I need an authenticator app on my phone? What for?
Edit – I don’t even have my phone locked
I think it’s a bit of an overstatement to say anyone with a clue - I have it with 12 different services using it for authentication but if you don’t have the deal with HMRC, various financial services etc then it would probably just be for 2FA on email. That is however potentially the most important one, once someone has access to your email they can reset passwords on most things that don’t need 2FA and then you are in a proper mess! Of course you can use SMS etc as 2FA so perhaps you have done that. It’s marginally less secure and requires a phone signal.
i don’t criticise people for not having a password on their phone - but if you loose it does that mean whoever finds it can get access to lots of stuff you wouldn’t want them to? There seems a disconnect between someone who wouldn’t fill in personal detail on an NHS electronic patient system and someone who has no security on their phone - unless of course you don’t have any apps like email, social media etc on your phone.
Ta
Nothing critical can be accessed on my phone. Email requires a password. Banking app a password and a security question
There seems a disconnect between someone who wouldn’t fill in personal detail on an NHS electronic patient system
Different issue - it was not an NHS system - it was a private company wanting all sorts of personal info to access nhs emails with no restrictions on how they can use it - including NI number FFS
Maybe I should lock it.
Ta again
As far a egress goes yes its a PITA and completely pointless in some scenarios where you get sent to link to your email telling you how to access the secure message where the only signup condition is needing the email address! Muppets. Though it does at least give some security to the message content (e.g. no one has intercepted and altered the bank details being shared with you as pat of a financial transaction).
In your case I suspect that egress might already have those details that you don't want to share with them (provided by whoever set you up on egress) and that they were requested to validate that you are you. I also suspect (though don't know for sure) that those details shouldn't be usable by the company for anything other than validating your identify (yeah I know 'shouldn't').
most NHS community nurses are provided a car at zero cost to them
Not in my experience, they usually use their own car (either theirs, or a leased car parks via salary sacrifice that's 'theirs' in the same way a personal lease car would be, i.e. it lives on their drive, they drive it to and from work, use it at the weekends etc) and reclaim expenses for miles driven.
unless of course you don’t have any apps like email, social media etc on your phone.
Even then, for a scammer it would be quite handy to have unrestricted access to a phone full of numbers of friends and family. "Hi aunty Sue, I can't speak as my battery is nearly dead but I need £500 for X, here are my bank details. Sorry to ask but it's an emergency..."
The egress stuff was as a member of the public well after I retired so no way should they have had any of those details. All the information required was to set up an account.
I will secure my phone tho - its educational to a luddite like me this stuff - ta
why would you have an authenticator app on your phone
well, for any account that supports it
without opening my app i know i have a couple or 3 work accounts in there
i have my google account, which in itself is pretty much the key to the kingdom
steam, epic games
basically, if the option for 2fa through an app is there, i take it.
Also, on critical accounts, there are backup methods of entry set, because if i lost these accounts i would be pretty upset
I am permanently logged out of google on everything. I still do not understand this at all.
anyway I have locked my phone now so to get into my banking for example they would need lock screen pin, banking app password, banking app security question. what does the authenticator app add? My phone doers not remember passwords
I'm not just being argumentative here - genuinely trying to understand
not specifically on your phone
say someone finds your google account email address, and brute forces it, without mfa they will eventually get in, change your password, google account is theirs
they then have access to your email, which could be the email address you've used for other sensitive accounts, which they can then password reset and pick up your email
remember, the entry point to most accounts is not through your phone, its via web logins.
with working mfa, any time a valid password is supplied, there is then a prompt on the app on your phone to approve in some way. so, the phone needs to be in the hand of the culprit, they need to be bale to unlock it and approve on the app
sms/call also does this yes, but an MFA app is considered more secure again
