You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
IT telling me i must install microsoft mfa app on my phone to access my work laptop.
On principal i don't want to. Because i am awkward. But how is an IT system security reliant on personal phones?
But how is an IT system security reliant on personal phones?
It isn’t, it’s just the easiest way of doing it. Would you rather carry 2 phones around?
It's an access point to their systems. Every access point is a potential threat.
Simple solution is do not use your personal phone to access work email.
Nono you misunderstand. I don't access anything on my phone thats my policy. This is so i can access stuff on my laptop!
Simple solution is do not use your personal phone to access work email.
It is just a one time passcode algorithm that replaces those RSA hardware dongles we used to need. No security issue.
We had so much bleating about this at our place when we 1st changed from hardware token generators. If you don't like it get your arse into the office 5 days a week where you don't need it - funnily enough people soon got used to it.
IT telling me i must install microsoft mfa app on my phone to access my work laptop.
On principal i don't want to. Because i am awkward. But how is an IT system security reliant on personal phones?
My sim died a few weeks ago, so I couldn't access the MFA thing. Our in-house admin changed the user from me to him so that he could receive the code and then told me what it was. That's how (in)secure these things are.
If you don't like it get your arse into the office 5 days a week where you don't need it - funnily enough people soon got used to it.
They need to give you a work phone if they want you to use a phone for work. Not a chance I would do that.
As someone who has to enforce this stuff - sorry - it's because you're more than likely already using your personal phone for MFA for your own stuff*, and it's far more convenient to ask you to add another account to an Authenticator app you already have and use than have to separate it out - it's simpler for a start because at least in theory you already know how that app works and what it's for.
I have a works phone for on call rotas (from long before MFA was mandatory), and my works authenticator is on there, but if I didn't I'd actually prefer everything to be on my personal phone. The Authenticator app isn't revealing my personal phone number to the world (unlike the on call rota) so I'd be happy for it to be on a personal device.
NB - and seeing that TJ has replied with similar to what he did last time this came up: It doesn't always have to be a mobile, but if it's Microsoft based then they push mobile app as first line of MFA because it's far more secure than SMS or Text. There are second line alternatives like FIDO2 tokens, but in Microsoft's stack you still have to have a mobile app in place as line 1. RSA tokens are no longer considered particularly secure, and certainly don't work with most modern systems.
Always easy enough to claim you don’t have a personal smartphone 🙂
Same at our place as of next week.
Already had emails and guides about installing Microsoft Authenticator app. 🙄
It's another one of those low-level embuggerances that ironically often makes things less secure. Like the stupid requirement still in force at some workplaces to change your password every X weeks. All it does means people go from Password17 to Password18.
We all have to use Microsoft MFA at work - it's nothing to do with using your personal phone for work - they don't even have my mobile number, but occasionally the laptop will ask for MFA, especially when working from home.
As someone who has to enforce this stuff - sorry - it's because you're more than likely already using your personal phone for MFA for your own stuff*,
Like what? The one and only reason I have MFA on my phone is for work. Nothing I do personally needs it.
My sim died a few weeks ago, so I couldn't access the MFA thing.
I have no idea why that would be the case, they don't need a network connection to work, mine works just fine with the phone in airplane mode. It is just a piece of software combining a token with the timestamp and creating a code, the same calculation is being done somewhere else - compare the two for a match.
I have no idea why that would be the case,
If IdleJon had MFA setup to send a text message to a phone then a buggered sim for that number would, well bugger it up.
Fair enough, I forgot about the archaic text OTP implementation. Maybe it would be better if you were moved to an app on your phone 😉
As someone who has to enforce this stuff - sorry - it's because you're more than likely already using your personal phone for MFA for your own stuff*,
Like what? The one and only reason I have MFA on my phone is for work. Nothing I do personally needs it.
Then a lot of your personal accounts are insecure. Absolutely anything financial of mine has MFA on it - banking websites, PayPal, the little bits of Crypto I do - plus rarely used email accounts. It may be out of date guidance now, but there used to be the adage that 99% of the regularly seen 'hacks' (stolen password and account compromises) could be prevented with effective MFA.
It might not even need to be the Microsoft app, the Google one or any number of other ones will probably work as well but the Microsoft one is nice for MS stuff as it just gives you a pop up on the phone that you accept. I'm surprised if anyone doesn't already have one on their phone already for things like Amazon or Paypal. A quick look at mine (I use the MS one for most things) and I have 30 accounts linked.
They need to give you a work phone if they want you to use a phone for work.
‘They’ really don’t.
If you need a phone to do your work then work HAS to supply one. What happens if you do not have one that is suitable? Do you have to go out and buy one?
Your work has NO right to expect you to use your own stuff for work. You can agree to but they cannot make you
edit: too slow, what pyro said
and double post, haven't had that in years
In the modern work environment security is important so it is good that the OP's employer is taking it seriously. There is no massive downside to having an authenticator app installed. It does not expose personal information or consume much in the way of resources and using personal devices is the simplest and cheapest way to do this.
There are plenty of big companies such as JLR and M&S that have been hacked which has had a big impact on them and may result in job losses.
If they were asking to install software that could track your location or snoop on your Internet activities then hell no but these auth apps (generally) do not do that.
if it is just for MFA tokens and I don't have to put a work profile on the phone then this would be OK by me. Easier than also carrying around a Yubi key or RSA tag.
Having said that, I also have a work iPhone and use the MS authenticator on that for work MFA.
IDK how folks manage without using MFA for personal things.
IT telling me i must install microsoft mfa app on my phone to access my work laptop.
On principal i don't want to. Because i am awkward. But how is an IT system security reliant on personal phones?
If it's just MFA, it doesn't matter which one you use, you can use google if you prefer. However, if it's Intune MDM then say no, or **** off, or don't take the piss.
This is a big issue with IT / Industry at the moment, they want MFA and they want it app based because it's more secure than SMS, but they don't want to supply all staff with mobiles. TBH the industry 'uneasy standard' at the moment is that SMS messages are acceptable for users without supplied phones. Or, they provide things like YubiKeys
There are plenty of big companies such as JLR and M&S that have been hacked which has had a big impact on them and may result in job losses.
and Tesco.
Without knowing anything about these hacks are the CIOs and CFOs first on the 'moving on' list? These are the two C-suite folks who should have been planning and spending to prevent these events and minimise their effects on business.
My work said the same.
I use 2FAS Auth on my phone for personal 2fa stuff and did not want to install Microsoft Authenticator
So I just set up the work auth as another entry in 2FAS instead. It works fine.
From an employer perspective they really don't care what you use as long as you use something. I expect they would provide a shitty cheap phone for you to use just for this. It doesn't even need to have a network connection. But do you really want to have to keep another device charged just for the sake of being awkward?
i have over 300 users on system here, i enforce authenticator MFA for everyone, it's the only supported form of MFA that we currently allow
we have looked at crypto keys etc but currently just use authenticator
we have lost money due to staff negligence were they gave away access to their accounts through phishing etc, now with secure MFA this is much less likely
protects them and us
I have way more personal accounts in my phone for MFA that than ones relating to work
there are NO downsides, only upsides
you can be awkward and ask for an alternate method like a crypto key, but your more likely to forget to carry that than your phone
Like i say i don't particularly care it just seems quite funny.
I have no work apps on my phone because i don't like scrolling and seeing "workappTM" when its a sunday.
My petty workaround is going to be set the push notification to full volume of me shouting "THIS IS THE APP WORK MADE YOU PUT ON YOUR PERSONAL PHONE CALLING"
👹
They could provide a YubiKey or similar. Or make you work on a desktop PC in the office rather than a laptop at home.
The mfa is for account access not the computer so you would still need one regardless of where they make you sit.
My petty workaround is going to be set the push notification to full volume of me shouting "THIS IS THE APP WORK MADE YOU PUT ON YOUR PERSONAL PHONE CALLING"
Or... just don't have push notifications turned on.
And don't use the one work specify, than it's not a work app. Bonus is you can use it to secure personal stuff as well.
Nothing I do personally needs it.
I think you need to examine that thought process. Plenty of stuff you do personally does need MFA and you'd be frankly stupid not to enable it (unless you don't do anything online that is).
It might not even need to be the Microsoft app, the Google one
Correct Google authenticator works just fine with MS. It's companies that insist on Duo that I find annoying as its another app that has to be running.
If you need a phone to do your work then work HAS to supply one.
Doesn't work like that in the real world as much as you might want it too.
Yeah we have accounts that require it too not just remote access.
We had a process for awkward buggers to winge at their managers and insist on an old school RSA dongle even though almost everbody has a smart phone. I've always worked on the basis that the less a I bring inconsequential issues to my mananger and waste their time resolving the better.
Plus if I have apps on my personal phone that I need for work nobody can complain when I am looking at crap on the internet during work time.
Nixie - it does for sure. As I said what happens if you do not have a smartphone?
There is always a work around for folk as Robola says. work cannot make you use your own devices for work stuff
What happens if you do not have one that is suitable? Do you have to go out and buy one?
They could provide a YubiKey or similar. Or make you work on a desktop PC in the office rather than a laptop at home.
if they make you work from the office, do they have to get you to the office in order to access the machines too? Or do you you use your own means (car bike shoes etc) to access them?
Same thing
We've been through/going through this, and its potentially not as trivial as its described. At least one of the cyber hoops we jumped through (possibly Cyber Essentials+) wanted any phones used for business use to be on the latest version of the OS. Cue lots of discussions along the lines of:
[Company] You'll need to upgrade to iOS 99 (or whatever)
[Employee] My phone won't upgrade
[Company] You'll have to buy another phone
[Employee] My phone is fine, I don't want another.
[Company] We'll give you a phone
[Employee] I don't want 2 phones
In the end the cheapest option was some cheap wi-fi tablets (I currently have 7 different MFA applications installed).
There's a lot to unpick here, much of which has already been said.
Firstly, I'm kinda with TJ (and the OP) here in that if work requires you to have a tool to do your job then they should be providing it. What happens if you don't have a smartphone?
That said, adding a work-related MFA token to whatever authenticator app you already have is innocuous enough. It's not installing a work app, it's merely adding an entry into an app you should already have.
If you aren't using MFA for personal stuff then you really should be, certainly for anything you care about. Passwords are not fit for purpose. If your email is compromised then someone can go on an "I forgot my password" spree and pillage your life.
If they want to push Mobile Device Management to your phone then that's a hard pass and they absolutely should be providing you with a work phone - it will take over your device and it is by design a bitch to remove.
Incidentally, is the only form of communication with work / customers via the laptop (Teams etc)? What happens when you have an IT issue and can't log in?
When you say "to access my laptop" do you mean to log into Windows or to use apps? My personal Microsoft account no longer has a password at all, it's associated with my laptop via a PIN so is in effect inherently MFA. (Why aren't they using Microsoft Hello for Business?)
Yes there might be a work around but making a big deal out of something this minor is a stupid way of making yourself stick out. Also what happens on the day you forget the alternative method? IMO refusing this kind of request is akin to expecting your employer to pay for shoes if your job required you to walk around the office lots or to pay for your suits because they require business dress? Also the number of people without smart phones is vanishingly small now.
I wrote about this, it'll save some typing.
Old McDonald Had a Password, M, F, M, F, A. – Blue Team Hackers
At least one of the cyber hoops we jumped through (possibly Cyber Essentials+) wanted any phones used for business use to be...
"Used for business use" as in having an MFA token or using Office etc apps?
From the other POV at least one major US tech company manages to supply all their employees with multiple security tokens. Without them they can literally do nothing other than splurge on the free office food.
It is petty as you say in the title OP. Refusing is a bit like saying I’ve got keys to the office so they need to provide me with trousers to keep them in.
I expect if you make a fuss they will give you a phone that you will need to carry in addition to your personal one and don’t be tempted to use it for anything other than work as I imagine they can also be a dick about things if they want to.
I kind of agree that they should provide you with a phone but the cost of providing mobiles and contracts for all staff will be prohibitive and not enforcing MFA will leave them vulnerable to attack. If they get Ransomwared and go bust/have to make you redundant, because everyone refused to use their phone to generate a code then presumably you’d wish you used MFA on your phone…
IMO refusing this kind of request is akin to expecting your employer to pay for shoes if your job required you to walk around the office lots
Would you pay for your own boots and assorted PPE if you walked around the factory floor a lot?
Nothing I do personally needs it.
I think you need to examine that thought process. Plenty of stuff you do personally does need MFA and you'd be frankly stupid not to enable it (unless you don't do anything online that is).
You are correct, of course. I do MFA so routinely on my iPhone that I don't notice it.
I would say that if you genuinely feel it's too much of a problem to have an app on your personal phone that you use for ten seconds every week or so then
a) You're working for the wrong company if their culture makes such a minor thing a point of principle
b) You are the problem, not your company
we have lost money due to staff negligence where they gave away access to their accounts through phishing etc, now with secure MFA this is much less likely
Sorry, point of order, but no, you lost money because of your ineffective cyber security. Phishing attacks and other versions of cyber crime can be incredibly sophisticated. Accusing staff of negligence because they happened to be the victim that day is unfair.
Likely senario - a phishing e-mail got through e-mail security to the end user. A link within that e-mail wasn't scanned and blocked. They clicked on the link and were able to go to a fake site because it wasn't protected by a DNS filter. They had their login stolen because you hadn't enabled one of a few ways to use MFA with, or without using someone else's device. Any one of those standard measures would have prevented this happening. Don't blame the users. They're not cyber crime experts. Many kinds of spear phishing attacks with a MITM element won't be prevented by MFA alone.
Sorry, point of order, but no, you lost money because of your ineffective cyber security.
Maybe ... or maybe in spite of significant investment in tools, processes and training, the staff member was negligent in their personal responsibility to recognise an attack.
Would you pay for your own boots and assorted PPE if you walked around the factory floor a lot?
In recent times if I have to use a phone for work it's either provided to me, or if I have a choice, they pay my personal phone bill and I use one phone. Things definitely get exciting with apps then though, and on the whole I'd rather have the work phone that I can leave at home when I'm not working.
In the old days, I had a pager. And I damn near got caught cause my beeper kept beeping.
Sorry, point of order, but no, you lost money because of your ineffective cyber security.
Maybe ... or maybe in spite of significant investment in tools, processes and training, the staff member was negligent in their personal responsibility to recognise an attack.
If every attack could be recognised, then cyber crime wouldn't be a $10tn a year 'industry'.
I have the Authentication App installed already as i use it for personal stuff. its no biggie really
Would you pay for your own boots and assorted PPE if you walked around the factory floor a lot?
The company are asking to use your smartphone, not buy one. The vast majority of employees will have a smart phone so aren't being asked to pay for anything. The few exceptions can be dealt with as such.
Thanks OP. You reminded me I had expenses to put in at work on my work laptop but accessed with an authenticator on my personal mobile. All sorted now.
Prefer the Google authenticator, which is totally offline, and should work in airplane mode too.
I only used that for work stuff, cos I had it installed already for other MFA stuff, and it literally is just a number generator. Although most of the team were reluctant to use personal phone for anything work related.
Also when you get a new phone, all the profiles simply appear on the new phone. M$ authenticator was a royal pita and in the end I just gave up and regenerated new MFA profiles.
Would rather use a Yubikey or similar.
If you don't already have Google or MS Authenticator already installed and used for personal stuff, then I wonder about your own personal security.
I work for the same company as the OP and I felt the same when the initial email came round the other day.
I've got the Microsoft authenticator app already though so it's not a problem.
Does feel a bit cheeky for work to just assume everyone is happy with that though.
I've had problems with my personal Microsoft account and am locked out of it because of the MFA and MS are ****ing useless and seem to just refuse to sort it out. Read this web page and do this, ok I'll do that, no you can't do that you have give us all this info, ok here have it all, oh we ignore all that because you have MFA enabled, but I can't log into MFA, oh you need to do this and give us all the info we ignore because you MFA enabled!!!!!!!!!
****ing ****s!!!!
Does your employer require you to have an ID card or pass to access the premises? Did you moan when they gave you one which you have to carry around with you outside of the premises so that when you get there you can get in? It really is just a modern version of that.
At the end of the day, if you don't want to do it, you can always get another job, your employer is unlikely to care very much to be honest if you are not willing to do something so minor.
I would say that if you genuinely feel it's too much of a problem to have an app on your personal phone that you use for ten seconds every week or so then
a) You're working for the wrong company if their culture makes such a minor thing a point of principle
b) You are the problem, not your company
Christ did you hack my appraisal form?
I don't think its a problem its more the cheek of an email that basically said "today everyone must install an app on their phone for our security" i mean i'll do it but i do think it's interesting that security requires personal devices. But i do genuinely hate reminders of work when i am not working. I quite like my work and everything.
I've forgotten my phone before now. But if I miss a days* work because i forgot my personal phone i expect to be paid in full? If it was a work phone like my laptop, if i forgot that i'd probably be making up the hours.
*I can't forsee a situation where that could happen.
My previous employer tried this (plc making 100s of millions). I was very vocal in saying no. Compromise was receiving a text code when logging in when not in the office. No work app or software on my phone.
Does your employer require you to have an ID card or pass to access the premises?
No? But then equally they gave me a card to use i can keep it in my work bag until needed why would i moan.
this is more like you only get in the building if you swipe your clubcard but i shop at Waitrose.
My previous employer tried this (plc making 100s of millions). I was very vocal in saying no. Compromise was receiving a text code when logging in when not in the office. No work app or software on my phone.
This was essentially the announcement of that ending.
I have no work apps on my phone because i don't like scrolling and seeing "workappTM" when its a sunday.
You know, if your company uses proper MDM and you are on Android, it'll set up a 'work profile' with work versions of all your apps segregated from your personal stuff. This is more secure, but importantly you can turn off the entire work profile with a button - for weekends and evenings etc.
I find attitudes to employers slightly odd. Unless you are independently wealthy and are working for fun aren't you reminded of work every time your mortgage payment goes out, money magically appears in your bank account or your personal phone bill is paid.
IDK how folks manage without using MFA for personal things.
They get their accounts compromised a lot that's how ...
OP - just live with it or work in the office 5 days - ms and google are now thankfully enforcing mfa everywhere (about time too)
My work pass is an app on my phone. Means I’m much less likely to lose/misplace it. They don’t provide me with a phone, or mandate that I have to have the app, but if I don’t, I can only get into the office when someone else is there which isn’t convenient for me.
i have a folder for maybe 6-8 work apps, so it’s easy to ignore. None of these apps are mandated, but they make life easier for me. To refuse them on principle seems silly to me.
I find attitudes to employers slightly odd. Unless you are independently wealthy and are working for fun aren't you reminded of work every time your mortgage payment goes out, money magically appears in your bank account or your personal phone bill is paid.
I always kept a 100% solid barrier between work and home. Never mix the two at all in any way. Requiring me to use a Microsoft or google app on my own phone would not be acceptable to me.
Its lazy and cheapskate from the employer - and a security risk as they do not control that device.
They need to give you a work phone if they want you to use a phone for work.
‘They’ really don’t.
If you need a phone to do your work then work HAS to supply one. What happens if you do not have one that is suitable? Do you have to go out and buy one?
Your work has NO right to expect you to use your own stuff for work. You can agree to but they cannot make you
there are lots of jobs which expect you to provide your own tools. Now there may be an interesting point if you’ve been there long enough to get employment rights but they don’t have to give you a job at all. And the next employer may have written it into their policies before you arrive! I suspect most companies have a way of dealing with the stubborn **** who refuses to use their own phone for MFA - and it probably involves someone buying the cheapest, shittiest, heavy, bulky android phone they can find to teach you a lesson.
feel free to explain the security risks to the IT professionals on the forum…I find attitudes to employers slightly odd. Unless you are independently wealthy and are working for fun aren't you reminded of work every time your mortgage payment goes out, money magically appears in your bank account or your personal phone bill is paid.
I always kept a 100% solid barrier between work and home. Never mix the two at all in any way. Requiring me to use a Microsoft or google app on my own phone would not be acceptable to me.
Its lazy and cheapskate from the employer - and a security risk as they do not control that device.
I do not know enough to do so but two essays on the net from HR and IT pros said there was. I think theft of phones was the main one.
and it probably involves someone buying the cheapest, shittiest, heavy, bulky android phone they can find to teach you a lesson.
Which I would be fine with. That phone would never leave my workplace.
You are correct, of course. I do MFA so routinely on my iPhone that I don't notice it.
Which is a problem in itself. Once it becomes "don't notice" then its an exploit waiting to happen and a strong argument for not having work stuff on a personal phone.
Have had a few fun conversations with the security team that they need to get on top of the "MS and okta are bored so are going to trigger some random request for outlook/teams/sharepoint" since if it throws them up every five minutes then I will just tick yes and not notice its asking for access to cyberark.
it’s precisely those sort of things MFA is designed to avoid, and the postit notes with the password, or the same login which everyone in the same office uses, etc.Same at our place as of next week.
Already had emails and guides about installing Microsoft Authenticator app. 🙄
It's another one of those low-level embuggerances that ironically often makes things less secure. Like the stupid requirement still in force at some workplaces to change your password every X weeks. All it does means people go from Password17 to Password18.
I watched a customer screen share and login to their system today with a password which did the character visible for 0.2 seconds thing - it wasn’t a particularly imaginative password either… I hope they have MFA enabled because there were 17 people on that call - half of them from outside his company and he does this sort of call several times a day!
and it probably involves someone buying the cheapest, shittiest, heavy, bulky android phone they can find to teach you a lesson.
Which I would be fine with. That phone would never leave my workplace.
Assume any work equipment you were issued would never leave your workplace? So you wouldn’t need the phone, as your kit would always be connected to the work network. I imagine most of the folk advocating the use of MFA apps aren’t forcing themselves into work everyday, and can work away from the office at their convenience. You may feel different if you did too.
So you wouldn’t need the phone, as your kit would always be connected to the work network.
That's not how it works.
and it probably involves someone buying the cheapest, shittiest, heavy, bulky android phone they can find to teach you a lesson.
I'll start with I refuse to have any work things (apart from the odd STW post) on any personal devices. This isn't really down to any easily definable binary logic, it's just part of how I maintain healthy barriers (from a personal and subjective perspective) between being at work, and not. Where exactly those barriers are for each of us is entirely dependent on the individual, and not a 3rd person commentating.
I didn't actually have IT seeking out the worst phone they could find, it's what I asked for. I think it's actually 3rd hand, but as all it's doing is taking MFA requests and the odd spam call that's ok with me. If I worked somewhere that didn't want to provide a dirt cheap phone, well, they probably aren't the employer for me unless the pay is good, when id just buy a dirt cheap handset on PAYG. I only got the current handset as my previous was not 4G and the network switched off.
I'm sure some other posters will dismiss this as daft, over the top, but, well... they can go **** a duck. If it helps me keep my work stresses from negatively impacting my mental health it's what I'm going to do.
Assume any work equipment you were issued would never leave your workplace? So you wouldn’t need the phone, as your kit would always be connected to the work network. I imagine most of the folk advocating the use of MFA apps aren’t forcing themselves into work everyday, and can work away from the office at their convenience. You may feel different if you did too.
Huh, I don't get stuck into the set up of MFA that much apart from users accessing 3rd party stuff. This reads like your employer has set something up so if you connect to the office Wi-Fi no MFA is required? That certainly is not the case with my employer, makes no difference whether you're in office or not
So you wouldn’t need the phone, as your kit would always be connected to the work network.
That's not how it works.
Oh and too late to edit but I’ll bet that TJ’s reports from HR (???) and IT Pros are about accessing corporate data on a personal phone, which IS a security risk and any security conscious organisation will actively block this.
As I said I do not know enough about this stuff to have an informed view really - I can only go with what others say including those of you with knowledge here. These are some of the articles - it was late last night and I had been at the beer when I made the post so couldn't be bothered to look it up then again
With the increasingly common use of 2FA (Two Factor Authentication) to enable access to secure sites and apps storing sensitive and critical data, mobile phones are a valuable tool. And in this case even employees who are not required to constantly make outbound calls, a personal phone is a point of significant vulnerability. Should the device be lost or stolen, these critical enterprise apps could be accessed by criminals or bad actors using 2FA on the device, with the risk of fraud, theft, and again heavy fines.
Also ICO guidence