You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
So, from a skim read, those articles are talking specifically about BYOD (Bring Your Own Device ) which is generally understood to mean using your own device to access corporate data and as per my post above is a “no”. What they are saying in the article is that MFA will not protect the corporate data if it is accessed on a personal device, that also has the MFA authentication tokens, when it has not been properly secured and a bad actor has gained access to the device.
there are lots of jobs which expect you to provide your own tools.
And this will be reflected in the tax system in use where expenses for work equipment can be reclaimed. Good luck with trying to claim back anything phone based from HMRC.
I'm with TJ, if work needs something specific for IT use work provides the necessary equipment. With YUBI Keys at £50 inc VAT before volume discounts it's a cheek to ask your workforce to further support the bottom line.
The system I support is vulnerable because the owner doesn't like the faff of MFA, I've secured my account as it's the Admin one but everything else is password only. (There was a bit of a battle about social media and Google accounts that needed some risk explanations before they were secured).
If your work doesn't supply trousers, do you refuse to wear your own and turn up in your y-fronts?
I think an element of pragmatism is required and the employer might reasonably assume that most people will be fine with it as it costs the employee absolutely nothing to comply. One might argue that most employers offer more than the statutory minimum holiday, sick pay, etc etc so asking the employee for a bit of leeway here is not unreasonable. It will not introduce any significant additional wear and tear on the device so really a minor inconvenience in the general scheme of things. I 100% agree that if they were asking you to use your device for doing actual work then that is unreasonable but this IMO is not.
The system I support is vulnerable because the owner doesn't like the faff of MFA, I've secured my account as it's the Admin one but everything else is password only.
Oh dear. It's probably only a matter of time before he/she revaluates that against the faff of recovering all their data/paying a massive fine/losing his/her business entirely.
but as usual you are projecting from your workplace environment - a job which is done in person, in a specific building to every other employer and career in the world. I seem to recall that you at one point were working across multiple sites - and so that bulky device would be inconvenient for you to carry. Even moving between wards a discrete device would probably be handy.and it probably involves someone buying the cheapest, shittiest, heavy, bulky android phone they can find to teach you a lesson.
Which I would be fine with. That phone would never leave my workplace.
now from a security perspective which is better “TJ’s” company brick that he leaves on his desk charging and which anyone in the office can “borrow” and probably learns the PIN number quickly! Or a device that is personal to the individual and likely is neither left unattended nor the password/face/finger security bypassed for random colleagues. The entire principle of MFA is about something you know (your password) and something YOU physically control. As soon as that device becomes another “post it note” left for all and sundry to access you’ve broken the system. Of course it should be locked away if not in use, you probably should have something more than 1234 as the PIN code and never tell it to anyone - but IT security have to deal with the reality not theory because the consequences of a breach are potentially far higher than someone getting unauthorised access to the pool car or drugs cabinet.
of course it’s easy for a person who is retired to declare they would never put up with it; just as it is easy for someone in the public sector to say they must provide you a device. The rest of the population live in the real world and need to pay their bills and don’t necessarily see everything their employer does as an attack on them: it’s perfectly legal for an employer to say it’s a condition of working for us that you must have a smartphone and it must run a particular app - in many hospitality jobs without that you wouldn’t get any shifts, in some places you use the app to clock in and out, and certainly the employment tribunal panel are likely to have done exactly the same to access the court IT system so probably not going to have too much sympathy! Misinforming people of their rights doesn’t help them.
If your work doesn't supply trousers, do you refuse to wear your own and turn up in your y-fronts?
Unless it's PPE, this is a bit of a public sector/uniform thing and HMRC will bung you a few ££ to wash it. People who weren't public facing opted to wear their own clothes at their own expense.
Investigators who didn't wear uniform were entitled to a (very) small allowance that might just about keep them in y-fronts
A guy I used to work with had his hair cut during work hours, "Well, it grows while I'm at work"
The rest of the population live in the real world and need to pay their bills
Those bills don't include some the employer should pay. It takes time but they can be educated that work equipment is supplied and replaced by work. I go out to ensure Sanwich Inc can afford some shiny things along with the household bills only. Too many in the world of work don't see that they need to pay their way, this is a fallacy. If a business will fail because it relies on "free" stuff it's not a viable business.
Back to MFA apps:
I think that my phone does MFA through my apps; banking, email, etc. because all need the phone to access the content.
If I go on the bank website then I either use a card reader/number generator gadget or the app to supply a code. So far, so good (I think)
For other stuff:
Does it matter if I use the MS app to access Google services via website (and VV), i.e one app only?
What happens if I lose the phone? Does this mean that I'm effectively locked out of everything? I can ring the bank, but what about MS, Google, etc?
And this will be reflected in the tax system in use where expenses for work equipment can be reclaimed. Good luck with trying to claim back anything phone based from HMRC.
I haven’t checked but I expect the rules on tools are actually similar - if the tool was mainly used for non work activity but incidentally used to help a work task then it will not be tax deductible! So if you genuinely are the one person of working age in the country without a smartphone and who’s job involves using a computer I’m sure HMRC could be persuaded that buying a £50 Android phone (but not the SIM card - it should work for MFA with WiFi only) was an essential business expense.
that’s fine when the time comes for pay reviews your employer will know who goes “above and beyond” for the company and who spends more time arguing about the fact they were still in the office at 1701 and had to use an app to authenticate. The same employers may have to consider policies about working from home or allowing personal mobile phones to be carried in the office. It’s not a war but you can make it one. Best to do that in boom times when the market for employees is in your favour!The rest of the population live in the real world and need to pay their bills
Those bills don't include some the employer should pay. It takes time but they can be educated that work equipment is supplied and replaced by work. I go out to ensure Sanwich Inc can afford some shiny things along with the household bills only. Too many in the world of work don't see that they need to pay their way, this is a fallacy. If a business will fail because it relies on "free" stuff it's not a viable business.
in terms of workplace unfairness this is so low down on the spectrum of problems - go ask someone in hospitality where shifts get cancelled 15 minutes before you start or people get sent home because it’s quiet (without compensation) or where asking not to be rosta’d for a particular day gets you labelled as difficult and used less often. Those are the fights worth having. Those are the people getting paid minimum wage and exploited not someone who is probably occasionally posting on STW on company time!
What happens if I lose the phone
Some services allow you to use the MS app on more than one device. For my work I have it on my own phone and a work-provided tablet. We’re required to use it for logging into everything, both on and off site, so it’s used multiple times per day across both devices.
Having said that, I have resisted attempts from some of the websites I use to set up a passwordless login because of the potential hassle of being tied to one device if that device is then lost.
but as usual you are projecting from your workplace environment - a job which is done in person, in a specific building to every other employer and career in the world
Actually I am thinking from the point of view of trade union and employment law. But hey ho - continue to enjoy your stockholm syndrome
I'm obviously a bit stupid but if you don't want to use a phone for 3rd factor authentification what do you suggest you do instead? A totally separate device.
Do you actually understand what's trying to be done here?
you are still projecting from your bubble of a trade union protected industry - it’s not the 1970s most of us don’t actually work for employers where unions carry the sway they do in the public sector. But do tell us where in employment law it says it is illegal to ask your employees to use their own personal phone to authenticate logging in to your network? Next time an NHS trust suffers a major security breach perhaps someone will pause to think whether the staff made it harder for them to introduce very simple processes that actually cost the employee nothing that protect patient data.but as usual you are projecting from your workplace environment - a job which is done in person, in a specific building to every other employer and career in the world
Actually I am thinking from the point of view of trade union and employment law. But hey ho - continue to enjoy your stockholm syndrome
What happens if I lose the phone? Does this mean that I'm effectively locked out of everything? I can ring the bank, but what about MS, Google, etc?
I can’t speak for the MS one but the Google one has an icon (a green cloud with a tick) which confirms the codes you have are being synchronised to your Google account - there is a process to restore them to another device. I assume MS have something similar. Many individual services will offer a fall back option like one off barcodes to be used for disaster access.
If your work doesn't supply trousers, do you refuse to wear your own and turn up in your y-fronts?
Only if I can claim for the Y Fronts on expenses
But do tell us where in employment law it says it is illegal to ask your employees to use their own personal phone to authenticate logging in to your network?
Its no illegal to ask nor is it illegal to refuse. It would be illegal to penalise a person who does not or cannot do this. As above what happens if you don't own a smartphone? What happens if you do not want your phone to connect to google?
Again - enjoy your stockholm syndrome. perhaps you should unionise? 🙂
As above what happens if you don't own a smartphone? What happens if you do not want your phone to connect to google?
If you don't own one then I would imagine the employer would provide you with an alternative method as an exception.
It doesn't connect your phone to Google/Microsoft/ANOther MFA token provider (unless you use their services for backup purposes). It's just an app provided by them in order to make it easier for users to secure their data.
You are right that they can't force you to legally but like I said a degree of pragmatism is required. When considering the implications of enforcing MFA the CEO/person in charge will have made allowances for the minority who refuse and will have an acceptable (from a security perspective) alternative that they can enforce.
Why on earth are you blathering on about Stockholm syndrome? Being at work doesn't have to be a constant adversarial tussle. Jobs are quite useful things to have if you haven't yet retired. I see these attitudes most commonly in people who have been at one company their entire career. If you've ever been on the wrong end of redundancy and struggled to find new employment with a family to support then you tend to have a different perspective on the place that pays your wages.
But hey ho - continue to enjoy your stockholm syndrome
By your own admission you don't know enough about the subject to actually have an informed opinion, and yet you're more than happy to throw the petty insults around at people who don't share you black/white world view. Perhaps it's time to leave the thread when your position is well understood by everyone and you don't appear to be able to be persuaded otherwise?
By the by; Access to the NHS email account now requires MFA if you log in via the web-page.
As I said I do not know enough about this stuff to have an informed view really - I can only go with what others say including those of you with knowledge here.
TJ - those are addressing a different risk - allowing users to access company data from their own phone. Security professionals have mixed views on that from unimaginable to manageable with the right tools. In part it depends on the sort of data - but we aren’t talking about accessing company systems from the phone here we are talking about an app that generates a seemingly* random code which verifies you have access to a device you have previously set up to generate those codes. Same concept as the card reader you possibly had for online banking 10 yrs ago.
(* they aren’t actually random - but there is no realistic way for anyone to find the codes without the trusted device)
there is still a risk that I lose my phone (or have it stolen), have no or insecure password set and don’t alert IT before someone who has also obtained my password now accesses the systems. Ultimately you can point a gun at my or a loved one’s head and I’ll log in for you - so no system is totally secure.
It’s no less secure on a personal device than a work one - possibly more so as people are likely more careful with personal devices, don’t leave them lying in drawers etc. Company data never touches the device and the device does not need to connect to the company network.
Its no illegal to ask nor is it illegal to refuse. It would be illegal to penalise a person who does not or cannot do this. As above what happens if you don't own a smartphone? What happens if you do not want your phone to connect to google?
Genuine question - has anyone's company actually stated that an employee will be penalised for not complying or are they just trying to operate pragmatically in a tech enabled world?
Again - enjoy your stockholm syndrome.
Balanced nicely against a world of paranoia and anti-establishment.
If I still worked I would be very happy that my company cared about IT security, even if it meant the very, very slight inconvenience of having to use my phone to log in. Look at all the hacks that have happened in the last year. Any one of them could have resulted in the company completely failing, and putting everyone out of work. Obviously, it's never said how these hacks happened, but adding MFA must reduce the chance of it happening via a user logging in from home.
Obviously, it's never said how these hacks happened, but adding MFA must reduce the chance of it happening via a user logging in from home.
One more time with feeling.
Its
Nothing
To
Do
With
Working
From
Home
🤣
Whatever, the point is still valid (to me).
Why on earth are you blathering on about Stockholm syndrome? Being at work doesn't have to be a constant adversarial tussle.
I think this is the key point for some folks. It's not about working from home or the technical aspects of what is actually happening (all that is happening is that you are using a device that you own and always have with you to say it is you logging in). It's more that some people like a really hard separation between their work and their personal lives and it's an emotional thing. I imagine any sensible employer would have ways of handling that. For me it is much easier to have one device that I keep charged and which i always carry with me anyway so it is zero additional burden. My work is already part of who I am and I don't have seperate work and personal lives a la severance.
ta leffeeboy. that's the point exactly
You've got two choices.. Install Microsoft or Google authenticator on your own phone or the company will have to provide you a company phone for authentication purposes.
MFA is sadly a fact of life.
Personally I use the Google one and you can hook that up to work with Microsoft Auth with a bit of jiggery pokery.
What's the lowest level of phone you can run those apps on? Pretty low I imagine. You'll need another SIM though.
Does it have anything to do with working at home? Well if it turns you're working at home, but haven't done anything as you can't login on the grounds of personal ethics you might be in line for a tricky chat -)
Does it have anything to do with working at home?
Not really
Id install it. I have a work phone as a complete separation, I'm not tempted to catch up when not working. teams, Outlook etc are on there along with authenticator.
All my team and managers have my own number if they really need me or want to chat crap.
What's more annoying is having to be pinged a code to Outlook on my phone (or a text or call) each time I log into edge, Outlook, teams, powerapp, SharePoint following a data breach elsewhere within the group. Each morning I'd forget run along my start bar and open the apps up only to be greeted with multiple requests that I'd have to cancel then run through one by one. That issue has improved now but I normally get one while in a meeting and have to share my screen only to be greeted by a log in request. The worst are Outlook on my phone asking me to put in the code sent to Outlook on my phone ... Sms it is then.
TJ has a very militant attitude to work, and he seems to assume that it's all evil bosses abusing us. I don't see it that way. I am part of a bunch of people who are all working towards a common aim which is helping out other people in their jobs. I don't mind this at all. If you came to me and said 'I can't work out where this creaking is coming from on my bike' I'd have a look and help you figure it out. That's more or less what I do at work, only I get paid for it. I just did a bit of learning for something that might help me do my job better, primarily because I'm really interested in it.
I think if I felt the way that TJ seems to think about my workplace I'd find a different one - I can't stand to do a job I'm not interested in, but conversely if I am interested in it I don't mind thinking about it.
Each morning I'd forget run along my start bar and open the apps up only to be greeted with multiple requests that I'd have to cancel then run through one by one
Your organisation needs to seriously consider implementing SSO on an Entra joined device.
I think if I felt the way that TJ seems to think about my workplace I'd find a different one - I can't stand to do a job I'm not interested in, but conversely if I am interested in it I don't mind thinking about it.
Where as i find my job interesting and i like but it gets left at the door and i like to come back refreshed.
I deal with this at my work, in our small team of devs 1 doesn't own a mobile and one doesn't want to use their personal mobile for MFA. Both have been offered cheap works mobiles to use instead. It's not hard.
Incidentally,
MFA is not (necessarily) "an app on your phone." A laptop joined to the domain with a fingerprint reader is two factors of authentication - a certified device and a biometric check. The whole point of MFA is to provide something in addition to a password, a separate physical device on your desk is one such option.
Please read my blog post. I gain nothing from you doing so, but it'll save everyone a lot of typing.
Good luck cracking the password on my personal Microsoft account, it doesn't have one.
Handing out corporate phones doesn't solve the problems because they are expensive and yet another asset to maintain; better to hand out yubikeys but they have a cost; and text messages and codes to email are not strong enough.
MFA is going to happen for all of us in both work and personal and this idea that you can belligerently refuse to use it on a personal device pretending you don't have one is daft. Feel free to work for a company that doesn't bother and roll the dice to see if they last.
Getting to the point where you regularly authenticate on more than one device means we get past using passwords every half an hour and that's easier than typing ever longer codephrases
just as it is easy for someone in the public sector to say they must provide you a device. The rest of the population live in the real world
I think this is a TJ thing more than a public sector thing!
You can run authenticator on most phones but need android15 or equivalent to use passkey which is the strongest method
If your phone is that old that you are wondering whether it will run authenticator, get a new one because the risk of a lack of updates isn't worth it, not just for the mFA but your personal stuff
we have a similar system to access our wage slips and manage holidays .
Except you get a QR code to scan and generate a 3 + 3 code to gain access.
It never works, Usual faffage of multiple attempts require password reset, but not just one password ,, There are 2 . 1 for log in to generate the QR fiasco and another complex password recovery version.
Needless to say I can never get the thing to work and just dont bother logging on which is a shame as we have other content creators who post up information which is sometimes useful or interesting
Anything must be better than our system (where we have been directed that no two passwords can be the same, which does confuse things as no two login ids are the same either). Turn PC on, logon, login to 365, login to registration system, login to business world and then there are various not often used things to login to as well. Then they all have different change password rates, some 4 weeks some once a year.
I can find most people login details for all of these systems within about 5 minutes, usually on a piece of paper under the keyboard.
I know somebody has already mentioned it but your IT people really need to get single sign on working.
Handing out corporate phones doesn't solve the problems because they are expensive
Isn't the cost for a usable phone for MFA going to be £50 to £100 unit cost with something like a 3 to 5 year lifespan issued with a PAYG sim and just updating itself through wifi, logged once onto the asset register, them once off of it for end of life disposal? That's no more expensive than some office chairs.
This isn't a BYOD scenario, it's for MFA, maybe outlook/teams.
My work phone was even cheaper than the above, the cost was already sunk providing a phone to the previous employee that has it.
I know somebody has already mentioned it but your IT people really need to get single sign on working sacking.
FTFY.
I deal with this at my work, in our small team of devs 1 doesn't own a mobile and one doesn't want to use their personal mobile for MFA. Both have been offered cheap works mobiles to use instead. It's not hard.
See - its not just a "me" thing -)
I think if I felt the way that TJ seems to think about my workplace I'd find a different one - I can't stand to do a job I'm not interested in, but conversely if I am interested in it I don't mind thinking about it.
Whereas I and others on this thread like a hard barrier between work and home. the two remain totally separate and thats the way I like it.
If you look at the thread its not just me. Others have the same stance. to me its much healthier this way
By the by; Access to the NHS email account now requires MFA if you log in via the web-page.
And where I worked using personal phones for anything work related was completely banned. I have no issue with MFA or any other security things. My issue is with using personal devices for work.
My issue is with using personal devices for work.
This is not about using a device for work though. No actual work would be done on the device. It would be different if you were expected to make and receive work calls on it or send and receive emails as both of those could arguably incur charges or at the very least use up some of your paid for allowance. This has negligible cost apart from the amount of battery used for the few seconds it takes to tap the MFA prompt (I’ll bet you would have no problem charging your phone at work anyway and your employer wouldn’t mind). It’s simply using the device as a key for convenience, nothing more to it. Sure you can object and insist you are supplied with a phone but this would be more of an inconvenience to you than them. Most people would see this as just being difficult for the sake of it.
This is not about using a device for work though
Tbh, I think you're missing TJs point about what a clear break 'is' between work and not work. If you are using your personal phone for MFA to access work systems for "some" people (myself included) that crosses a line which I'm healthier not crossing. And it makes zero difference whether you think that's daft or not.
Your personal experience is your own, I personally am way way over at one end. Way over at the other end others I know are happy to be checking emails during an evening meal at home with their family on a BYOD set up.
Ignoring how someone feels about something, does not stop them feeling that way. For the relatively tiny (especially when there's already a large recruitment HR/Admin cost to every employee) investment it cost my employer, it's a no brainer for them as the return is a happier more productive employee. Although as this thread is making me think about work it's probably time to flounce.
(I’ll bet you would have no problem charging your phone at work anyway and your employer wouldn’t mind)
You would be wrong on both counts
As above - its about the hard line between work and home
Fwiw, my wife is a lead nurse at an NHS hospital, and is expected to use her own phone for 2FA.
Interesting. Disciplinary offense to have a personal phone in use at work in the hospitals I worked in and people were disciplined for using them.
You would be wrong on both counts
Fair enough then - if my employer refused to let me charge my phone at work and then expected me to use it for MFA I would also tell them to do one and probably look for another job TBH if that was their attitude.
I get the work/home distinction and not wanting work stuff on my personal device but I use the MFA app for my personal accounts. Having my work email listed in amongst them would only remind me about work in the same way as when checking my bank account I see a payment incoming from workco or seeing my key to the office on my keyring. I probably do that more frequently than I need to open the MFA anyway. I would also object to having work emails on my personal phone for the same reasons and in any case it’s blocked and not permitted at my workplace. Anyway like I said employers generally accept that some people won’t want to use their own device for a variety of reasons and will likely provide those people with an alternative solution as they won’t want to cause you any undue stress/anguish.
the two remain totally separate and thats the way I like it.
Fine, but not everyone approaches their jobs that way and it's not necessarily a bad thing if you feel differently. Just something to consider.
I don't hate my job, or my company, but the work MFA app is on my work phone, and not my personal phone. I would refuse to install one on my personal phone, too - if work insists on my needing MFA, they can provide me with the means to do so.
Fair enough then - if my employer refused to let me charge my phone at work
There is a valid reason for this - PAT testing and liability
Fair enough then - if my employer refused to let me charge my phone at work
There is a valid reason for this - PAT testing and liability
You misquoted me and didn’t include the bit where I said if the employer expected you to use your personal device for MFA and then refused to let you charge it. PAT testing requirement if you use a wall charger is understandable but most phones these days don’t come with one and you can charge it off your laptop/desktop and even the monitor is some cases - all of which will have been PAT tested. Mobiles themselves do not require PAT testing but obviously if your employer prefers that you don’t plug your personal device in at all for whatever reason then they shouldn’t expect you to use it for MFA. That is my point.
It's another one of those low-level embuggerances that ironically often makes things less secure. Like the stupid requirement still in force at some workplaces to change your password every X weeks. All it does means people go from Password17 to Password18.
Yeah, various places I’ve worked had that, including the last place, which was a real pain in the ass, because there wasn’t any real security risk to the information, all it was was registrations of the various vehicles on site, and the location where they were stored.
All of us chose some easy to remember word then added incremental numbers on the end. We might just as well have just used our own names.
If your work doesn't supply trousers, do you refuse to wear your own and turn up in your y-fronts?
Depends on the type of work. Anything that involves stuff getting dirty, I’d expect PPE to be supplied, or an allowance to cover expenses.
There is a valid reason for this - PAT testing and liability
No there isn't.
It's a myth that PAT is required in low-risk environments (or indeed at all, really), so this is wrong I'm afraid. The law requires an employer maintains and monitors electrical equipment which has potential (ho ho!) to cause injury. PAT is simply a method of demonstrating that they've done this. Some bloke in hi-vis running round putting stickers on things is a money-making racket.
Look, let's put this to bed.
There is a difference between "using your phone for work" and what we're discussing here. I have always agreed with TJ here in keeping work/personal separate. I learned this one the hard way 25 years ago when I started getting calls on my personal number from work colleagues on a Sunday morning wanting help with their home computers. It's something I've always pushed back hard against.
If by "using your phone for work" that means accessing internal systems then any security-conscious organisation should be pushing security policies to your phone, potentially overriding your own access rights. This - obviously - will be a big "no" for a lot of people.
BYOD was an ill-fated scheme pitched under the guise of letting users work on their preferred platforms, but the reality is that it was a cost-cutting exercise. It turned out to be a wholly predictably ****ing stupid idea because any expense saved in hardware was more than surpassed by IT and Security trying to manage piles and piles of random esoteric largely-uncontrolled shit.
But that's not what this is, at all. Using your phone for MFA is adding an additional entry into an app you really should already have installed and be using for your own accounts. That's it.
If instead the OP's question had been "my boss has asked me to put IT's phone number into my personal phone's Contacts just in case everything else goes tits up and I can't access any work systems" would we still be having this conversation? It's broadly the same principle.
(... do people really not get work phones as standard issue these days?)
(... do people really not get work phones as standard issue these days?)
No. We have laptops with teams installed. If we want to install teams on our own phones, that’s up to us.
Personally I agree completely with people not wanting to be reminded of work when they are not at work but there has to be some pragmatism about it, if you wear a uniform you’ll get reminded when you wash it, if you have a company van parked outside, if you have an ID card in your wallet etc etc so practically it’s impossible to remove all references to work from home. Using the work/home distinction as the sole basis for refusing to use MFA on a non work branded app you should already have just seems inconsistent to me given it doesn’t suddenly scream “work” at you every time you pick up your phone - especially when compared to other more intrusive daily reminders as per the above. You can even hide the app if you’re on iOS (possibly on Android also?).
Some of the objections given further up though were based on assumptions that were incorrect:
- Work will have access to my phone - incorrect
- I will have to sign up for a Google/Microsoft account - incorrect
- I will have to buy a smartphone - incorrect (no reasonable employer would expect this).
Work can’t force you to use your own phone as a key - it’s convenient for you though. I have a work phone. I would refuse to use my personal phone for anything work related that involved actual work activities - email etc but having MFA on it as well as on my work phone makes things easier for me so I do it. I am not once reminded of work when I use my personal phone for anything.
We enforce MFA, not every employee gets a phone as standard. Anyone who doesn’t want to use their own phone would get one provided - it’s a small relative cost and not worth arguing over.
If we want to install teams on our own phones, that’s up to us.
Massive security risk unless you are forced to install a work profile on your personal phone so it can be wiped remotely. It should be actively blocked.
There is a valid reason for this - PAT testing and liability
No there isn't.
It's a myth that PAT is required in low-risk environments (or indeed at all, really), so this is wrong I'm afraid. The law requires an employer maintains and monitors electrical equipment which has potential (ho ho!) to cause injury. PAT is simply a method of demonstrating that they've done this. Some bloke in hi-vis running round putting stickers on things is a money-making racket.
When you employer mandates PAT then you cannot charge your own devices
If instead the OP's question had been "my boss has asked me to put IT's phone number into my personal phone's Contacts just in case everything else goes tits up and I can't access any work systems" would we still be having this conversation? It's broadly the same principle.
Yes because the same applies - what happens if you do not have a mobile phone and it still breaches that hard barrier
We enforce MFA, not every employee gets a phone as standard. Anyone who doesn’t want to use their own phone would get one provided - it’s a small relative cost and not worth arguing over.
Which is the correct way to do things
I will say up front that I skim read a lot of the comments after the first 30 or so and, as such, I apologise if what I am about to say has been said before.
TL;DR: I work in cyber, have done for over 20 years and what I do is focussed on protecting users and information within big and complex IT environments. Currently that means a userbase of about 40k people.
MFA is _the_ single easiest and best way to protect your on-line accounts from being taken over. I would rather _any_ MFA is used by my users than none, but I have a clear preference for something that is stronger (and less likely to be intercepted) than an SMS, something that device certs/WindowsHfB, FIDO2 or (Google|MS) Authenticator fits the bill for. I see evidence daily of password sprays and brute forces and, without the "something you have", guessing a password means that account (or indeed any account using that username/password combo) can be taken over and either stripped of personal information or used to spam/phish other people. My advice when training is that adding MFA (again, I don't care what) to every account that supports it is _the_ best way to retain control of those accounts.
The challenge I see with a lot of companies that have been pwned is that they use a cheaper form of MS licensing that may not allow for a lot of thew features I rely on. Device management, integrated EDR and Conditional Access give me a lot of flexibility in how my users can work and in what circumstances. It might allow me to give full access to systems when a user is using a corporate/managed device on the internal network, but limit their access to just M365 when they log in on a personal computer from home, or to block access to everything when they are out of the country.
I saw someone mentioned phishing earlier and how it's a technical problem and not a person problem (paraphrasing slightly). I disagree. It is a problem. Technology can only do so much to address the problem and attackers evolve their methods all the time. User education/training and engagement is _essential_ to combating this; you cannot rely on just technical means.
As an example: You get a mail from someone you know, written in English, possibly replying to a mail you sent to them. It contains a link to a document hosted on their Sharepoint with the request that you review the document. DKIM, DMARC and SPF all come back passed, headers match their mail server and the mail signature is theirs. BUT WAIT!!! The document (hosted on their Sharepoint in their folder) they sent you has a link in it and, when you click that link, you come to a login prompt for _your_ Sharepoint and, because you trust the sender you enter your passwo.... oh no.
No MFA means that your leaked password can be used to make you the next link in the chain. Then your IT department will get calls from the people in your address book asking if you have been hacked and maybe ICO will have to get a GDPR disclosure for the info that was on your Sharepoint.
Dammit. That turned into more of a rant than I wanted, but it's a Monday and I have a lot of work ahead of me. In summary: Use MFA everywhere you can, have separate passwords for work and personal accounts (and make them long, but easy to remember) and work with your IT department to make your place of work safer for the whole company (and give the 'me' in your office a slightly easier life).
depends who you work for and what you do but increasingly no; part of the reason for that is many employees don’t want to carry two devices around so would prefer to use their own phone.(... do people really not get work phones as standard issue these days?)
TJ, as usual, is showing the crazy side of unions - people who would spend their time arguing about hypothetical staff who don’t own a phone being able to login to a system (where there probably is a “have this brick from the bottom drawer solution” available) whilst real issues go ignored - like the vulnerability of employee (or patient/customer) data because using industry standard practice might cause a theoretical inconvenience to someone who enjoys making a fuss about stuff. He is of course living in a career bubble where there was a shortage of nurses and so you could get away with being a bit of a dick and still survive. Arguing the toss over this sort of thing is unlikely to advance your career.
depends who you work for and what you do but increasingly no
The reality is that work used to give people better tech than their own personal kit, so everyone was keen to get a phone, laptop, etc. That's not so much the case these days - work equipment is often more utility than our own stuff and usually more restricted in use.
If I didnt want to use MS MFA I could go to the office and use the office network or a LAN cable, but I like being at home and use MFA for other sites so I just use it.
I dont quite get the barriers between home and work argument, MS MFA has never sent me a unsolicited pop up, do these people log off or go home on a evening or weekend and never think when am I next in work? how am I getting there? Are my clothes clean? do I need to make a packed lunch, etc, etc
Work didn't provide me with fibre broadband to WFH with. Or a chair to sit on in my "home office". Could go on etc etc.
Having the MFA app on my phone (despite it being an absolute crock) isn't really a big deal. It's just a magic number generator. Whatever.
End of day. It's generally good to avoid making yourself look like part of a problem TBH.
Other opinions exist.
@willard very well described, this is essentially one experience we had prior to MFA, the 3rd party then impersonated the victim (new email address, 1 character difference in the domain name or something) and sent emails relating to a legitimate subject and set up invoices for stuff the company had bought from us, the other company then paid the hacker..... they blamed us, even though it would've been due diligence on their side to check email addresses and question change of payment details...but ultimately, MFA would have prevented the 3rd party from sniffing our employees emails...
If I didnt want to use MS MFA I could go to the office and use the office network or a LAN cable, but I like being at home and use MFA for other sites so I just use it.
If work have set it up properly, then no, you really couldn't. As others have stated many times, MFA is about proving that it is really you that is logging on. And that shouldn't be affected by where you are logging in from. I still get MFA prompts whether I am working from home or am in one of our corporate offices. And that's the way it should be. [And to those in the know - yes, I am aware that for some cases it really does matter where you are logging in from but I feel that's not relevant or pertinent the main discussion here 🙂 ]
I already have a 2FA app of my mobile. As has been mentioned, it generates a number. I generally refuse to install apps on my phone but no problem with this, and no problem using it for work purposes as it is just a number generator. There is no network connection for it. It's not made by Microsoft. Superior to text messages.
When you employer mandates PAT then you cannot charge your own devices
You absolutely can, either use an existing USB outlet or bring in your own charger to be tested on the day Stickerboy comes round.
Yes because the same applies - what happens if you do not have a mobile phone and it still breaches that hard barrier
OK. Write it down in the paper address book you keep next to your landline?
just for you cougar
Poly - its nothing to do with unions or anything like. Its two things - one is thinking of those that do not have smartphones ( and several folk responsible for this stuff have said its no issue) the other is about having a hard barrier between work and home. Again something others have as well.
At my workplace having your own mobile in use when on duty is a disciplinary offense and so is plugging anything into USBs cougar 🙂