To refuse use of personal mobile for work

[Petal12]

Hi all, work are intending on introducing multi factor authentication soon. To enter our system we will now need to verify this by authorising on an app we have been told is to be installed on our personal mobile phones. I used to believe in give and take but the last few years have shown the feeling is not mutual and you are simply a number to be used for as long as useful. I like to think I’m not a petty person but can’t get past this. My main bug bear is that I’ve not been asked, just told! Few other points so as not to drip feed

• Not allowed to log personal devices into the

work WiFi. Why should I use my paid for data to facilitate this? No matter how little it may use. If they do allow me to use the work WiFi, does that mean the internet policy applies when using my phone in breaks i.e I can’t use any number of sites they deem inappropriate?

• My iphone is quite old and has storage issues every week. I would have to delete other apps that I actually use to allow this google authenticator to download.
• It’s another point of them being cheap and cutting corners.
• What if I lose/break my phone?

I’m sure there’s probably security issues that I’ve likely not thought of as well. AIBU?

Is it Microsoft Authenticator? If so, that thing is so bloody annoying. However, I wouldn’t be so petty as to say I wasn’t going to use my phone. Is there an underlying issue at your work that makes you not want to do it?

@cakeorwine it may come across as poor communication here, but the second note was only issued after all the managers told us that if we weren’t going to sign up to the policy we should delete all work stuff from personal phones there and then. So we did.

Ironically we have a no access to personal mobile phones while working policy too.

The authenticator we use can send a code via text, email or voice mail, it doesn’t have to be on a mobile. But IT demanded it was installed on a mobile at the beginning.

To be fair to them, this technology was all totally new to them at the start of lockdown, when they were still picking up the pieces from a massive IT crash. But that doesn’t excuse changing goalposts and thinking people are just going to do it.

The phone number would be stored with Microsoft. You would type it in.
It's probably stored a lot more securely there than with many other companies who store your personal details.

And why would I want Microsoft to have my personal mobile phone number?
Do I get I choice in sharing my private information with them?

@jgw1

*The phone number would be stored with Microsoft. You would type it in. It's probably stored a lot more securely there than with many other companies who store your personal details.*

And why would I want Microsoft to have my personal mobile phone number?
Do I get I choice in sharing my private information with them?

It would only be used for authenticating you.

I think you will find that most companies who take cyber security seriously and who have people WFH or who can access work systems remotely will have an expectation that people use MFA for remote access.

And if a company didn't do this, then they are at increased risk of cyber security attack and all the issues that come with it.

What do you think a company should do to implement MFA to people who were reluctant to either use or supply a phone number?

My company implementing this and a colleague expressed her annoyance. More about just being told to do it.

Apparently on our system you download the app and once IT have configured it you can remove the app. My phone is old and full and I’ve failed in downloading it and I shan’t be getting rid of my own stuff. I’ll leave it to IT to sort.

@cakeorwine ... I take security/privacy at work VERY seriously.. but it is not my remit or pay band to solve their IT problems.
I also take MY security/ privacy very seriously and PAY Mcafee for that service.

Tell them your phone is an old Nokia or similar that doesn't have any facility for apps, and you therefore need a work mobile.

What do you think a company should do to implement MFA to people who were reluctant to either use or supply a phone number?

Issue a work mobile.

What do you think a company should do to implement MFA to people who were reluctant to either use or supply a phone number?

If an employer requires employees to use a phone then they should supply the phone. It really is not complicated.

[quote Bonbon21]@cakeorwine ... I take security/privacy at work VERY seriously.. but it is not my remit or pay band to solve their IT problems.
I also take MY security/ privacy very seriously and PAY Mcafee for that service.[/quote]
It's not an IT problem.
It's ensuring security at work.
Which should be everyone's concern.

What do you think a company should do to implement MFA to people who were reluctant to either use or supply a phone number?

Provide the appropriate equipment to enable the employee to fulfill the job role without any cost in time (outside of work), money or encroachment into their personal life/information.

Hope that helps.

@jgw1

What do you think a company should do to implement MFA to people who were reluctant to either use or supply a phone number?

If an employer requires employees to use a phone then they should supply the phone. It really is not complicated.

So supply a work mobile just so you can receive a code or a text message?

Which services or employees would you sack or which costs to your customers would you increase to pay for these massive overheads?

@cakeorwine*...*@littledrummergirl has said it all for me.

*So supply a work mobile just so you can receive a code or a text message?

Which services or employees would you sack or which costs to your customers would you increase to pay for these massive overheads?*

If my employer deems it necessary for me to receive a code or text message then they need to ensure that they supply the equipment for that to happen.

Why should the "massive overhead" of providing mobile phones be paid for by employees?

Personally, if people couldn't supply such information, then they should probably have to be office based so they could supply a desktop phone.

If you wanted to WFH, then you should be able to follow a WFH policy which should include an ability to authenticate remotely using either your mobile phone or a landline.

Alternatively, you could take people out of automatic MFA and then implement a policy that in such cases, people had to register the device they access with was ok.

Then they could login with that device which would be ok. However, if that's what you wanted to do, then you would have to tell IT if it got lost so they could remove access.

In other words, they would know that if you logged in a home laptop, then that's ok. But if your laptop got stolen, you would have to tell IT.

Depending on the type, your company may well have a backup option to use in case the app goes down. We use dongles for business continuity purposes. This is not widely advertised as more expensive but an option for those who don't have a smartphone or who refuses to use a personal device.

Personally it's not a battle I chose to pick but each to their own.

Why should the "massive overhead" of providing mobile phones be paid for by employees

Where do you think money comes from in a company?
The magic money tree?

Personally, if you were my employee, I would take you out of automatic MFA and then ask you to register the device you accessed the system with.

I would also implement extra security on your login so we would look for suspicious activity.

@cakeorwine

Personally, if people couldn't supply such information, then they should probably have to be office based so they could supply a desktop phone.

If you wanted to WFH, then you should be able to follow a WFH policy which should include an ability to authenticate remotely using either your mobile phone or a landline.

Alternatively, you could take people out of automatic MFA and then implement a policy that in such cases, people had to register the device they access with was ok.

Then they could login with that device which would be ok. However, if that's what you wanted to do, then you would have to tell IT if it got lost so they could remove access.

In other words, they would know that if you logged in a home laptop, then that's ok. But if your laptop got stolen, you would have to tell IT.

Why would anyone use their own home laptop for work? If one needs a laptop for work surely work should supply it and set it up appropriately?

@cakeorwine

Why should the "massive overhead" of providing mobile phones be paid for by employees

Where do you think money comes from in a company?
The magic money tree?

Personally, if you were my employee, I would take you out of automatic MFA and then ask you to register the device you accessed the system with.

I would also implement extra security on your login so we would look for suspicious activity.

As far as I can tell you are saying that employees should subsidise businesses so that the bosses can continue to make far more money than they need. Am I correct?

Why would anyone use their own home laptop for work

There are times people might want to be at home and access their work emails or folders.

It's possible with Microsoft to do that.

You could be anywhere in the world and as long as you can access the internet, you can logon and access your account.

That's why extra layers of security are needed - as in theory, anyone anywhere can logon to the internet, type in your email and password - and access the system.

@jgw1

What do you think a company should do to implement MFA to people who were reluctant to either use or supply a phone number?

If an employer requires employees to use a phone then they should supply the phone. It really is not complicated.

You seriously think it’s reasonable to supply a phone for an app that spits out a code over 90 seconds or you click approve to log yourself in. We used to have dongles at work but they are tiny and a pain in the arse to keep.

@Bonbon21 the OPs doesn’t take her security/privacy seriously if she’s walking around with an old iPhone that has storage issues as it’s very likely she doesn’t have the latest security patches on her device. If you have a similar issue paying mcafee isn’t taking your security/privacy seriously at all. I don’t pay for their service as they don’t protect macs and id wouldn’t be kicking up a stink about this app as it’s already installed on my phone as I do take my security seriously and having MFA active on your accounts (personal) is an absolute must for security purposes. Look at the WhatsApp’s hijack attack and what protects you from easily falling foul to it.

Why would anyone use their own home laptop for work?

Using your own means that you have full control of it.

I don't think some people understand how potentially easy it is to access a Microsoft account.

In theory, you just need an email and a password.
And the internet.

So the job of IT is to ensure that the person accessing it is the person who they say they are and then to ensure that they are only able to access the right things they need.

There are plenty of ways to make it as difficult as possible for someone who can't use MFA to ensure that the person who claims to be them accessing the system is the person.

If you can't / won't use MFA, then IT need to know that the device they are accessing it with or the location they are accessing it from is authorised to access it.

You seriously think it’s reasonable to supply a phone for an app that spits out a code over 90 seconds or you click approve to log yourself in. We used to have dongles at work but they are tiny and a pain in the arse to keep.

If my employer wanted me to make widgets at work or at home, then of course the first thing one would ask for would be a widget making machine.
If my employer wanted me to use a phone for work, then it is only logically that they would supply a phone. If they don't deem it important enough to supply a phone then that is their choice.

Personally, if people couldn't supply such information, then they should probably have to be office based so they could supply a desktop phone

No need to be office based. Calls to my work phone we’re forwarded to my desktop or laptop wherever I was.