Expectation of using personal mobiles for work security

[SickOFant]

My work email system is moving to a multi-factor security check because of a couple of security breaches (both of which were the fault of IT, not individual staff).

The idea is we'll put in our password on laptops or PCs but this will then send a 4-digit code via text to our mobiles which we will then have to type in, which will allow us into our emails.

I don't have a mobile phone. Even if I did have done, I wouldn't want my personal mobile phone number linked in any way with my work or work emails.

IT have said that there is no work-around to this, that receiving a text message will be the only way of accessing emails. I have refused to buy a mobile phone just for this purpose and my employer has refused to buy me one for this purpose.

So now we're in deadlock. I would really appreciate any advice on how I should best handle this.

Thank you

You'll either have to use your bosses number to get the code or they'll have to get you a mobile. But if you get locked out it'll be your bosses phone you need to get back in to the emails.

Surely someone has an old phone lying around you can just pop a free SIM card in?

@crustycrab I should've said that my job isn't 9-5, office-based so I can't use anyone else's phone for this as I can go weeks without seeing any colleagues if I'm working from home or our paths don't cross. Plus I don't log into emails first thing and keep them up all day, I check them sporadically all hours of the day/evenings/weekends.

Can’t you receive text messages on your landline (which I assume you must have if you’re posting on here without a mobile)? It always used to be possible to. Failing that a basic Payg mobile will cost you a few pounds and if you only use it for this then it’s not linking a personal number to work - whether it’s worth a battle with your employer over for me would depend on whether you’re in a low paid/minimum wage role (in which case they should pay) or a professional with a decent salary in which case I would just suck it up personally.

Don't have any practical employment advice, but 2 factor authentication is becoming mainstream for more security for people out in the field, so it may not be because of a fault from IT just a standard upgrade.

I would just bite the bullet and get a mobile phone, I doubt they will turn off 2 factor authentication just for you, it doesn't really matter why it has been implemented as it is now a standard security feature.

There really isn't anything you should be doing. If work require you to have a mobile phone then they must buy you one. It could cost them as little as £20 for a basic non-smart phone, however, to keep most pay as you go mobiles active you need to top up within a certain amount of time. It should not be costing you anything so they'll need to do that too.
Ownership of a personal mobile phone (especially for work use) was never the requirement for your job so if they want to change the goal posts then they need to stick their hands in their pockets and buy you one. Perhaps you should give your boss's number to the IT team and then place a call to your boss every single time to ask what the code he/she has been sent?

@Iorderedyouapancake Oh I don't know if I can receive texts on my landline, I've never tried it. I know it's petty but I absolutely refuse to use my own money to buy a mobile phone purely for work. If it's only a few pounds, they can buy it for me!

@Justanotherlurker We had a talk about it the other day and were explicitly told that this was being brought in because IT accidentally made the Google Drive open to everyone meaning that everyone in the organisation (it's a university, this included students) could access everyone else's documents, and also because someone from IT accidentally downloaded every email sent/received by the everyone in the university.

@OchAyeThaNoo Ownership of a personal mobile phone (especially for work use) was never the requirement for your job so if they want to change the goal posts then they need to stick their hands in their pockets and buy you one.

That's a really good point, thank you!

Use your landline in the morning and don't log out.

Do you use online banking, the banks are all going to 2 factor authorisation, it might be worth getting a £10 phone for that.

Ask your employer for a "dongle RSA token"
It's a physical device which randomly creates PIN numbers

You can also do this on RSA mobile phone

You can only use hard tokens (or indeed, soft tokens) if your workplace has it set up to do that. So you can ask them for an RSA token, but if they haven't set it up with a system using them, they might not have one available.

We currently have the option of hard or soft tokens, but the previous system was soft tokens only. They could be installed on PCs/laptops or tablets or mobile phones. Theoretically, they shouldn't be on the same device that you'll use to log in.

The technology is available; that doesn't mean the technology is all available in your organisation.

Thanks for all of your comments on this, really helpful. I''m not sure whether the RSA token (had to Google this) is possible. I'll follow this up.

My bank has two-factor authentication but they call my landline with a code. That's fine because I'm not logging into online banking multiple times per day and never when I'm out of the house like I do with my emails.

The idea of logging in and keeping my emails up all day brings me out in a cold sweat. I received 72 emails yesterday - closing my emails is absolutely vital for getting work done!

By keeping logged in to your email I mean keep it minimised on your laptop, as an aside sure that's the normal way of working, people don't log in and out all day do they? Check it when it suits you, you don't have to be looking all the time.

Just a suggestion to solve your problem.

I would absolutely not budge on this - if your company has said you need a mobile phone to do aspects of your job, then they need to provide you with one!

I say this as someone with a personal smart phone I am glued to - I still have a separate work mobile.

Check your workplace IT policy carefully as well - for ours they say that if we use our personal mobile for work purposes then we automatically give them the right to browse through our phone at any point. Fuck. That.

@PleasantVille Our work emails are through Gmail so its on your web browser rather than a separate programme like Outlook so not as easy to minimise if you see what I mean.

Most people in my line of work (academic) will check emails two or three times a day rather than keeping them up all day.

@Dyrne Check your workplace IT policy carefully as well - for ours they say that if we use our personal mobile for work purposes then we automatically give them the right to browse through our phone at any point. Fuck. That. Blimey. I can't let that happen, they'd find out how much time I spent on MN

OK, I was only coming at it from a IT security aspect, I would imagine heads have rolled in the IT side of things if not you need to whistle blow it, it does however sound like they have just beefed up the security and added 2 factor authentication, your number will not be visible or tied to work emails.

I'm not offering any employment advice but you must be on the ludite side of things, if you are rarely in the office and do not own a mobile phone, even just for your personal online accounts it is something you should look into.

You will be no more tied to your work emails via adding this new security measure than you already are, considering mobile phones are part of GDPR it isn't some clandestine measure you think it is, and you should probably get one just for your online banking.

If you are wanting work to provide one then that's more caveats of employment, wanting IT to alter security just for you when it is becoming industry standard however will be a dead end, they will not have taken on this 2 factor authentication lightly.