To refuse use of personal mobile for work

[Petal12]

Hi all, work are intending on introducing multi factor authentication soon. To enter our system we will now need to verify this by authorising on an app we have been told is to be installed on our personal mobile phones. I used to believe in give and take but the last few years have shown the feeling is not mutual and you are simply a number to be used for as long as useful. I like to think I’m not a petty person but can’t get past this. My main bug bear is that I’ve not been asked, just told! Few other points so as not to drip feed

• Not allowed to log personal devices into the

work WiFi. Why should I use my paid for data to facilitate this? No matter how little it may use. If they do allow me to use the work WiFi, does that mean the internet policy applies when using my phone in breaks i.e I can’t use any number of sites they deem inappropriate?

• My iphone is quite old and has storage issues every week. I would have to delete other apps that I actually use to allow this google authenticator to download.
• It’s another point of them being cheap and cutting corners.
• What if I lose/break my phone?

I’m sure there’s probably security issues that I’ve likely not thought of as well. AIBU?

@nordica

It's wrong! I don't want work to have access to monitor my texts, photos or even buses (not that I do those). It's a breach of privacy and can fuck off.

You really don't know what Google Authenticator and similar apps do if you think it can monitor your sexting texting. It can't.

For the less than 20 seconds it takes to use a 2FA app, I really wouldn't have a problem with this. Obviously the storage issue is more of an obstacle but demanding a work phone for this use alone seems OTT.

Such low standards here.

Even grads get new phones where I work.

@jgw1,companies don't want to implement more security they HAVE to.

The likeihood of cyber attacks is very real. It would take a business out for several weeks. This includes Finance systems, including payroll. Everyone has to play their part in securing access to systems & networks.

@ImInStealthMode

Provide work phones if you want that or pay me an extra £10k a year.

@Calandor Your phone costs you £10k a year?!?!? You should probably shop around for a better deal.

It was pretty obvious that @Calandor was posting tongue in cheek and saying pay me an extra £10k if you want access to my private texts.

I think you go back and say your phone doesn't have room for another app. Maybe they will meet you halfway for the cost of an upgrade.

Also Okta was hacked recently. Are they adding risk to your personal ID security?

My employer doesn't provide mobiles but they accept that everything must be done via laptop & google. Your co. seem to be taking the mick.

My work had a major IT disaster a couple of years ago, then lockdown happened. We were not in a good place for WFH so people were asked to put emails, Teams and authenticator on their personal devices. Which we did to help out. We’re now back in the office and an email came out this week asking that if you had these things on your personal mobile, you sign up to the new mobile phone policy, which amongst other things allows them to wipe your phone if they think it is compromised. Funnily enough, there was a massive deletion exercise, and the office is now alive with the sound of desk phones ringing with codes for authenticating things. This weekend will be entertaining as it’s the first where the minions can’t be contacted to look at stuff so the higher ups might have to!

@Piggypiggyoinkoink great that people deleted it all, that is some cheeky fuckery by the company!

So people won’t even be able to access from home without the authenticator?

[quote Fireflygal]@jgw1,companies don't want to implement more security they HAVE to.

The likeihood of cyber attacks is very real. It would take a business out for several weeks. This includes Finance systems, including payroll. Everyone has to play their part in securing access to systems & networks.[/quote]
Surely if they were serious about security, they would not be connecting such important systems to the internet, so then they couldn't be hacked in the first place?

@Indicatrice Which an Authenticator app doesn't give them access to so.... 🤷🏼‍♀️

We’re now back in the office and an email came out this week asking that if you had these things on your personal mobile, you sign up to the new mobile phone policy, which amongst other things allows them to wipe your phone if they think it is compromised

I think that might have been miscommunication.

The remote wiping would wipe out work related stuff such as Teams, Outlook emails and any work files you had downloaded.

It shouldn't wipe everything from a phone.

Surely if they were serious about security, they would not be connecting such important systems to the internet, so then they couldn't be hacked in the first place

Important systems such as Finance should have limited access with people who access them ensuring they have appropriate authentication techniques and monitoring to detect unusual activity.

Well - that should really apply to all systems. But not all systems are equal

@Longdistance

Yanbu. My work somehow thinks it’s acceptable for me to login to work emails from my own phone. I refuse to as I don’t want to respond to emails using my personal phone. If they want me to do that, they can give me a work mobile, which will never happen.

One of the issues we have is people who don't have work devices but who need to access work emails or work systems such as HR online systems. These are people who aren't office based, who rarely use technology in their work but who need to be able to receive / send work related communication. Unfortunately we can't afford to give all these staff work mobile phones or other devices - but at the same time, there's an expectation that they should (occasionally ) be logging in online to check their work emails or to book holidays etc.

We have implemented a system so they can go into the office and use office PCs for accessing these things

There is nothing in my contract that states I am required to provide a mobile phone or even have a phone!
If they want to contact me by mobile they have to provide one.
They do not pay for my personal mobile phone.... they do not get the use of it.
I made that clear from the beginning of my employment.
They provide a mobile phone for work.
Sorted.

I should add that the mobile is switched on at the start of my working day and switched off at the end.
I am not available when I am not being paid.

@Bonbon21

There is nothing in my contract that states I am required to provide a mobile phone or even have a phone! If they want to contact me by mobile they have to provide one. They do not pay for my personal mobile phone.... they do not get the use of it. I made that clear from the beginning of my employment. They provide a mobile phone for work. Sorted.

If you had a mobile and it was decided that MFA was necessary to add an extra layer of security to reduce the risk of cyber attack - and all it did was send a text message to your phone, would you use that - so you could reduce the risk to your company?

@Indicatrice oh there was some serious backtracking when it became apparent that their CFery had been rumbled. Apparently if you only have authenticator but no other programs, you don’t need to sign up to the policy. Sadly this was issued after the mass deletion

[quote Piggypiggyoinkoink]@Indicatrice oh there was some serious backtracking when it became apparent that their CFery had been rumbled. Apparently if you only have authenticator but no other programs, you don’t need to sign up to the policy. Sadly this was issued after the mass deletion [/quote]
That's just poor communication.

I'm sorry buy are you suggesting that they provide you with a phone purely for an authentication app and nothing else?
If they are to provide you with a work phone, then you'd need to have more of a reason for it than that!! What a waste!!!!

@cakeorwine this was queried, the response was that they needed you to agree to accepting the risk that your personal phone could be wiped by the company if deemed required.

Funnily enough, people don’t want to sign up to that, so are not going to use their personal phones for company stuff. Which they shouldn’t be doing anyway.

If you had a mobile and it was decided that MFA was necessary to add an extra layer of security to reduce the risk of cyber attack - and all it did was send a text message to your phone, would you use that - so you could reduce the risk to your company?

@cakeorwine Presumably in order that a text message could be sent to my phone someone would have to be told the phone number?
Why should I share that information with someone who may not be keeping it securely? See for example the leaks of information about which Russian soldiers are fighting in Ukraine.

Their business.
Their security issue.
Their cost.

@Sandinmyknickers

I'm sorry buy are you suggesting that they provide you with a phone purely for an authentication app and nothing else? If they are to provide you with a work phone, then you'd need to have more of a reason for it than that!! What a waste!!!!

Yes, if an employer wants me to have a phone to authenticate then they need to provide one. It really is not a complicated idea.

@jgw1

If you had a mobile and it was decided that MFA was necessary to add an extra layer of security to reduce the risk of cyber attack - and all it did was send a text message to your phone, would you use that - so you could reduce the risk to your company?

@cakeorwine Presumably in order that a text message could be sent to my phone someone would have to be told the phone number?
Why should I share that information with someone who may not be keeping it securely? See for example the leaks of information about which Russian soldiers are fighting in Ukraine.

The phone number would be stored with Microsoft. You would type it in. It's probably stored a lot more securely there than with many other companies who store your personal details.

@Bonbon21

Their business. Their security issue. Their cost.

Don't you think that everyone in a work place has a responsibilty for security?

We have one and are taking the issue to senior leadership. It's not a code like some others described but an app that sends a push notification when you log in and you have to open the app and tap yes or no. It then randomly sends messages during lunch breaks, meetings, 2am etc. I don't know why but it's incredibly annoying and disruptive. I said I didn't have space on my phone for a previous less annoying version and was just very rudely told to delete something... my phone was ancient and literally only had 3 or 4 apps anyway! It was my personal mobile so I was v annoyed at this. Now the new version is definitely disrupting our personal lives I don't get why others don't understand that - when you're on a break or outside of working hours you shouldn't have to be reminded of work - the notification leads to you thinking about work! It has already started a slippery slope top of more abs more people downloading Teams onto the tor mobiles too.
I just think if they want us to use specific work-related software then they should supply the hardware too like they do for laptops

[quote Piggypiggyoinkoink]@cakeorwine this was queried, the response was that they needed you to agree to accepting the risk that your personal phone could be wiped by the company if deemed required.

Funnily enough, people don’t want to sign up to that, so are not going to use their personal phones for company stuff. Which they shouldn’t be doing anyway.[/quote]
Well, there is always a risk if they press the wrong button if you are using a phone for things like Outlook, Teams - things that are connected to a 365 account.

Wipe Data or Account Only Remote Wipe Device

That doesn't matter for MFA though as that is completely separate.