To refuse use of personal mobile for work

[Petal12]

Hi all, work are intending on introducing multi factor authentication soon. To enter our system we will now need to verify this by authorising on an app we have been told is to be installed on our personal mobile phones. I used to believe in give and take but the last few years have shown the feeling is not mutual and you are simply a number to be used for as long as useful. I like to think I’m not a petty person but can’t get past this. My main bug bear is that I’ve not been asked, just told! Few other points so as not to drip feed

• Not allowed to log personal devices into the

work WiFi. Why should I use my paid for data to facilitate this? No matter how little it may use. If they do allow me to use the work WiFi, does that mean the internet policy applies when using my phone in breaks i.e I can’t use any number of sites they deem inappropriate?

• My iphone is quite old and has storage issues every week. I would have to delete other apps that I actually use to allow this google authenticator to download.
• It’s another point of them being cheap and cutting corners.
• What if I lose/break my phone?

I’m sure there’s probably security issues that I’ve likely not thought of as well. AIBU?

@cakeorwine

I don't think some people understand how potentially easy it is to access a Microsoft account.

In theory, you just need an email and a password.
And the internet.

So the job of IT is to ensure that the person accessing it is the person who they say they are and then to ensure that they are only able to access the right things they need.

There are plenty of ways to make it as difficult as possible for someone who can't use MFA to ensure that the person who claims to be them accessing the system is the person.

If you can't / won't use MFA, then IT need to know that the device they are accessing it with or the location they are accessing it from is authorised to access it.

In which case perhaps the solution is to not use Microsoft accounts that can be accessed so easily?

Were, not we’re.

@jgw1

You seriously think it’s reasonable to supply a phone for an app that spits out a code over 90 seconds or you click approve to log yourself in. We used to have dongles at work but they are tiny and a pain in the arse to keep.

If my employer wanted me to make widgets at work or at home, then of course the first thing one would ask for would be a widget making machine.
If my employer wanted me to use a phone for work, then it is only logically that they would supply a phone. If they don't deem it important enough to supply a phone then that is their choice.

So in your case, I would restrict your login to the work device you use.

This would mean that anyone who used your login details from elsewhere would be blocked.

Job done

No need for MFA, No need for a phone

In which case perhaps the solution is to not use Microsoft accounts that can be accessed so easily

Try telling that to your IT department.

*So in your case, I would restrict your login to the work device you use.

This would mean that anyone who used your login details from elsewhere would be blocked.

Job done

No need for MFA, No need for a phone*

That would have the added bonus of not being expected to work at times when one was not at work. Why shouldn't every employee be given such a generous offer?

In which case perhaps the solution is to not use Microsoft accounts that can be accessed so easily

Or restrict logins from only the work IP address.
Or just from work devices that are registered on Azure directory.

@cakeorwine

In which case perhaps the solution is to not use Microsoft accounts that can be accessed so easily

Try telling that to your IT department.

They wouldn't like it as, it would then mean fewer of them would be employed to fix the problems that using Microsoft routinely seems to create.

That would have the added bonus of not being expected to work at times when one was not at work. Why shouldn't every employee be given such a generous offer

I could easily restrict that on people. Access between certain times of day.
Access only in the work place
Access from certain IP addresses.

Monitoring logins from out of hours.

It does amaze me the times some people logon to the system.

They wouldn't like it as, it would then mean fewer of them would be employed to fix the problems that using Microsoft routinely seems to create

It's not Microsoft who create my IT problems at work.

Your phone should have two profiles:

1. Personal

All of your own apps and data stored here.

1. Work

This part of the phone would be encrypted and also only have access to apps that were safe from a company perspective.

Its actually fairly straightforward. I use my fingerprint to access my work emails and intranet via my phone.

Can I ask if you have any idea why it doesn't work on my Apple Watch? I get the alert but then get a connection error when I click on the alert.

My first thought would be making sure that the watch has the correct synchronised time. A few ms difference counts.

Then I'd check the certificate chain to make sure the watch can be trusted.

That's assuming that Apples security infrastructure allow the watch to provide the key.

(TL;DR - if I were managing this, I would ensure there was a zero-cost way for employees that have a problem with it. Especially if you worked in a role where you were not allowed a mobile device on the shop floor.)

Seems this thread has descended into a vat of deliberate ignorance, with some posters staking their position in advance of understanding the broad picture, let alone the nuances.

Generally my view is that if you are expected to make & take calls away from your desk then you should be supplied with a mobile, contract, pink fluffy case and so on.

But if you are at a desk I'd set up a voip softphone.

There's a middle ground where you can install the voip softphone onto a personal phone so people can call you without needing your personal number.

(Ideally I'd put everything through voip as all calls get recorded.)

None of which has anything to do with 2/MFA which can be delivered without a fucking phone anyway.

At a very minimum, 2FA should be mandatory for any connection made from outside the premises.

Our setup is simple login to computer, but then 2FA into any system from there. We use gSuite (or whatever it's called this week) so you get challenged logging into that, then you can use your gMail account to access further systems. In addition some systems also mandate 2FA (hence my keyring of sites on my authenticator).

In my previous role, we were processing very vulnerable peoples data under various DWP contracts. These contracts allowed the DWP to rock up anytime to conduct a data security audit. It would have been a serious breach if they found (a) employees without ID badges, and (b) employees accessing systems without MFA

Having left that, I'm under the PCI-DSS cosh (not for the first time in my career) and while they aren't quite so hot on ID badges, they are on network segregation and ensuring verified access by - guess what ? - MFA.

This is hardly the bleeding edge of security. I was using an RSA token 16 years ago.

Meanwhile, it still seems industry SOP to call me up and demand that I prove my identity to some random caller. Worse than that: some random caller who can't understand why I don't want to tell them anything

Having a mobile phone is not compulsory. If you have one it's your personal possession. Nothing to do with them.

@DGRossetti

I do have an issue with VOIP on a personal phone.
It's just from the data perspective - when it's using mobile data.

I love the soft phones though.

MFA is fine, asking you to BYOD is, IMO, a step too far but i can't get too excited about it if the alternative is 100% office based work. The key, for me, is the company must ask not tell you to do this, and if you don't want to for any reason at all they need to provide an alternative.

Having said that: we all get an iPhone (i hate iPhones but that is what we get). The only people who don't get a company phone, are the interns, and they get a token and for some access they use their email as the authenticator.

In my place of work you're not even allowed to use your own devices for work purposes.

@Anniegetyourgun

In my place of work you're not even allowed to use your own devices for work purposes.

Which probably means they don't allow remote access and have locked down the IT system so only certain devices can access the system.

So you wouldn't need to be WFH and need a way of verifying your credentials remotely.

There would be authentication methods in the location itself.

Actually - I read that wrong. I read it as not using personal devices at work.

Why would anyone use their own home laptop for work?

When we had to WFH (Thank god that's over) my employer were very happy for me to take my entire 2-screen desktop set-up home with me.

Unfortunately space in my flat means it would have dominated either my lounge or bedroom, or involved set up and take down every single day. Instead I opted to use my own laptop with an employer supplied keyboard and mouse. It was much more convenient for me, and actually less so for them as the single screen meant it took me longer to do some tasks.

Just turn up at work with a dead phone and say you need to charge it to get the code to log on.

@RiverSkater

Just turn up at work with a dead phone and say you need to charge it to get the code to log on.

We also have it so the code remembers you for a bit if you are logging in from a recognised device. So you don't need to enter a code everytime.

It's a balance to ensure users are kept on side versus security requirements.

My husband lays in bed moving his arm up and down to get his steps in for his watch which rewards him for doing steps. He gets a free coffee if he does 10K

I'm normally all about workers rights and against companies taking advantage but this is the pettiest thing I've ever heard. But what if I don't have a phone... But you do! But what if it can't run the app... But it can! But what if it's got no room... How are you planning on using your phone normally then if that's the case?

What's next... Your work didn't supply you with a pair of undies so you go commando every day?

We also have it so the code remembers you for a bit if you are logging in from a recognised device. So you don't need to enter a code everytime.

"Conditional access" - of which MFA is a single strand.

Goodsecurity should be almost unobtrusive. Getting someone to 2FA every single time is guaranteed to raise the annoyance factor (and thus non compliance) with very little increase in security.

Same as the ludicrous change your password every hour and it has to be 40 characters long with upper, lower, number and symbols, no repeated characters, can't be a previously used one for the past 10 years and rhymes with "butter" in Sanskrit policies. Which are guaranteed to make people write them down ....

Same as the ludicrous change your password every hour and it has to be 40 characters long with upper, lower, number and symbols, no repeated characters, can't be a previously used one for the past 10 years and rhymes with "butter" in Sanskrit policies. Which are guaranteed to make people write them down

There are plenty of ways to annoy users with IT policies.