To refuse use of personal mobile for work

[Petal12]

Hi all, work are intending on introducing multi factor authentication soon. To enter our system we will now need to verify this by authorising on an app we have been told is to be installed on our personal mobile phones. I used to believe in give and take but the last few years have shown the feeling is not mutual and you are simply a number to be used for as long as useful. I like to think I’m not a petty person but can’t get past this. My main bug bear is that I’ve not been asked, just told! Few other points so as not to drip feed

• Not allowed to log personal devices into the

work WiFi. Why should I use my paid for data to facilitate this? No matter how little it may use. If they do allow me to use the work WiFi, does that mean the internet policy applies when using my phone in breaks i.e I can’t use any number of sites they deem inappropriate?

• My iphone is quite old and has storage issues every week. I would have to delete other apps that I actually use to allow this google authenticator to download.
• It’s another point of them being cheap and cutting corners.
• What if I lose/break my phone?

I’m sure there’s probably security issues that I’ve likely not thought of as well. AIBU?

I don’t dispute mfa is important and maybe I am being awkward, I totally accept that. As I say this may be the straw that’s breaking the camels back - which is why I’ve got my back up

@nearlyspringyay

No way, they provide you with a phone.

I have to log on with Microsoft authenticator and often choose to get a text code to my personal phone because its easier than firing up the shitty Samsung i have for work but that's my choice.

Of all the 2FA channels, SMS is the weakest

securityboulevard.com/2021/12/why-using-sms-authentication-for-2fa-is-not-secure

Not a problem in most cases, but I certainly wouldn't be letting any high net individuals rely on it.

@Womencanlift

We have this and use it to log in, both in morning and if we lock our system during the day. Takes 2 seconds each time.

I am someone who is absolutely against having emails on my personal phone as agree on the separation between work and home but an app that takes less than a minute a day, I can’t get worked up about that

It opens up a complete minefield of device management and data protection issues that simply don't exist for work phones.

My husband has a fingerprint stored on my personal phone and me on his. That could simply be banned for a work phone, but they have no way to manage it for personal phones.

I had a cheapskate ex manager who told us to "delete the crap" off our phones to make room for a work app. I told him in no uncertain terms that the only crap was the app he wanted to put on my personal property. Later I was promoted above him and got everyone proper devices for work

@Petal12

I don’t dispute mfa is important and maybe I am being awkward, I totally accept that. As I say this may be the straw that’s breaking the camels back - which is why I’ve got my back up

In other words making a culture problem into a "technical" problem ?

Is it Duo? It literally takes less than a second once a day.

@Petal12 l push back by refusing to do it. It means l drop into a black hole between locations and they aren’t thrilled. But they ultimately choose for it to be like this 🤷‍♀️. I’m not sweating it

Don’t, in my experience it blurs the lines and work eats into personal life

yanbu. if they had asked not told I might have considered in it

Yeah it sounds like you are being unreasonable. I have to verify with an app on my phone to log onto my company’s servers…what do you want as an alternative??? A new phone from them…c’mon

I've the same situation at work but I also have to use my phone for work calls zoom calls, teams, my sos emergency system etc.
I've brought it up on numerous occasions and still awaiting the work mobile.Our policy at work regarding IT is very stringent and we've been asked to sign off on a policy allowing work to delete our personal phones remotely if we lose them.
It's messy in the extreme and I think no-one should have to use their personal phones for work. My appraisal was last week and I've asked for it to be recorded, this was the first time they showed any interest as they didn't want to record it.

I think you are bring petty.

2FA is essential for companies to comply with security. They dont want to do it, it's essential, like needing door badges at work.

Most companies secure work WIFi and don't allow personal devices to connect. This is for very good security reasons, such as employees have old devices that are no longer up to date and therefore a security risk. It's a real threat not them being petty. If they have a security accreditation, (which is often essential to win business) they will fail should the audit detect out of date devices on their Network. Companies have to work with the technology available- sms is no longer deemed secure. Again not their choice, the industry and security standards determine it.

However companies operate a guest WIFi which is less restricted. This is usually password protected but won't allow access to data they need to secure. Ask your IT department if they intent to provide this? Although the bandwidth from 2FA is tiny so shouldn't be required.

If you won't work with the company to help them secure their systems then I would question why you are there. Do you adhere to secure door policy - assume you carry a work badge around with you?? It really isn't any different.

@Saltyquiche

Don’t, in my experience it blurs the lines and work eats into personal life

I agree.

Just say your mobile is not secure as it is shared and accessed by others in your household, and you don’t always have it with you. so how does that work with security features for companies systems?
Really, this is bad practice. It assumes you have a smart phone, it is downloading work onto your personal property and blurring boundaries. Before you know it they’ll be calling you on the number, emailing you etc…nope. Nope. Nope. Issue it you with a cheap smart phone Sim only isn’t going to cost in grand scheme, they’re just wanting to address issues without paying for it.
Sure if that was part of your employment contract when you signed it they’d have justification…but they can’t force you if not without asking you to resign your contract

Just say your mobile is not secure as it is shared and accessed by others in your household, and you don’t always have it with you. so how does that work with security features for companies systems?

As an IT manager wouldn't bother me ...

@Fireflygal

I think you are bring petty.

2FA is essential for companies to comply with security. They dont want to do it, it's essential, like needing door badges at work.

Most companies secure work WIFi and don't allow personal devices to connect. This is for very good security reasons, such as employees have old devices that are no longer up to date and therefore a security risk. It's a real threat not them being petty. If they have a security accreditation, (which is often essential to win business) they will fail should the audit detect out of date devices on their Network. Companies have to work with the technology available- sms is no longer deemed secure. Again not their choice, the industry and security standards determine it.

However companies operate a guest WIFi which is less restricted. This is usually password protected but won't allow access to data they need to secure. Ask your IT department if they intent to provide this? Although the bandwidth from 2FA is tiny so shouldn't be required.

If you won't work with the company to help them secure their systems then I would question why you are there. Do you adhere to secure door policy - assume you carry a work badge around with you?? It really isn't any different.

I don’t think anyone would argue about need for 2FA or similar. Absolutely. The point so they are insisting on using peoples personal property to do this. And making assumptions about peoples ability to be able to do this. Nope. Not unless it was part of their employment contract to allow company to utilise their personal property

like needing door badges at work.

Shudders at memory of having to explain that every single week .

YANBU. My work have an alternative method for anyone who doesn't want to use a personal phone for MFA. I think that's the only reasonable option.

@Fireflygal

I think you are bring petty.

2FA is essential for companies to comply with security. They dont want to do it, it's essential, like needing door badges at work.

Most companies secure work WIFi and don't allow personal devices to connect. This is for very good security reasons, such as employees have old devices that are no longer up to date and therefore a security risk. It's a real threat not them being petty. If they have a security accreditation, (which is often essential to win business) they will fail should the audit detect out of date devices on their Network. Companies have to work with the technology available- sms is no longer deemed secure. Again not their choice, the industry and security standards determine it.

However companies operate a guest WIFi which is less restricted. This is usually password protected but won't allow access to data they need to secure. Ask your IT department if they intent to provide this? Although the bandwidth from 2FA is tiny so shouldn't be required.

If you won't work with the company to help them secure their systems then I would question why you are there. Do you adhere to secure door policy - assume you carry a work badge around with you?? It really isn't any different.

If 2FA is so essential to the company then they will provide the technology necessary to use it surely?

Much like in businesses that are access pass controlled they provide the access pass…they don’t ask you to bring your own

I think a lot of the posters don’t understand what this app will be. It’s a ‘token’ on your phone, you type in a chosen passcode and they give you a code in return. This code is entered into your laptop to prove it is you that is logging in.

Nobody is accessing your phone, no data is transferred, nobody is having to work from their phone. It is literally a case of typing a passcode and getting given a verification code in return.

The whole idea of pushing back on this is beyond petty - it’s actually embarrassing for the OP (people would definitely be laughing at you for this)

@DGRossetti

Just say your mobile is not secure as it is shared and accessed by others in your household, and you don’t always have it with you. so how does that work with security features for companies systems?

As an IT manager wouldn't bother me ...

Why not? What’s the point if anyone can generate the code? Genuine question….

policy allowing work to delete our personal phones remotely if we lose them

This is a requirement to meet a basic government encouraged security accreditation. However no way would I allow work apps without a BYOD policy, they should have an MDM application that facilitates containerisation. I.e work and personal are segregated on your phone.

This has been available for many years so no excuse for a company not to implement. However if they can delete your data remotely they have the tool installed on your phone so perhaps there is distinction between personal and corporate?

I don’t think anyone would argue about need for 2FA or similar.
[]
The point so they are insisting on using peoples personal property to do this. And making assumptions about peoples ability to be able to do this.

If the employee is really dead set against it, then I'd print them a list of one-time 2FA codes (maybe 10 at a time) and they can use those and keep them appropriately secure. More than one way to skin a cat and all that.

@Hutchy16

I think a lot of the posters don’t understand what this app will be. It’s a ‘token’ on your phone, you type in a chosen passcode and they give you a code in return. This code is entered into your laptop to prove it is you that is logging in.

Nobody is accessing your phone, no data is transferred, nobody is having to work from their phone. It is literally a case of typing a passcode and getting given a verification code in return.

The whole idea of pushing back on this is beyond petty - it’s actually embarrassing for the OP (people would definitely be laughing at you for this)

Bollocks…maybe people under aged 30 ish who seem pretty loose with their PPI and privacy might laugh…more fool them……but for people of my generation I don’t just blur the lines between private and work related stuff

It would be a big fat no from me. My phone is my personal and private property.
Either they provide a phone with it on, or it's not happening, is my view.

I think a lot of the posters don’t understand what this app will be. It’s a ‘token’ on your phone, you type in a chosen passcode and they give you a code in return. This code is entered into your laptop to prove it is you that is logging in.

It could be like that (like a banky thing). But Google Authenticator (for example) just creates a new number every 30 seconds with no need for any input when set up.

My Google Authenticator on my personal phone has just over 40 accounts secured of which about 25 are work.