You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
Apparently MFA is being rolled out across all NHS mail users by the close of March
Our trust is saying either get a work mobile (which seams a ludicrous waste of money) or use your own personal mobile for the MFA.
Grumpy old man mode
Surly we should be given the tools we need to do our job?
And if not can I now put my iPhone 15 pro Max on my tax return as an item needed to carry out my job?
just get a work phone.
we enforce it at our work
every personal use scenario should already be using MFA , ie for your own accounts, so adding an extra account onto an app you probably should have installed already is not a big ask.
We were taken to court over losses from another company due to one of our employees email accounts being hacked and sending false bank details. This wouldn't have happened with MFA in place then.
Summary: it's to protect you and the company and has no real negative bearing on you or your device
I needed to have some stuff emailed to me at home from the NHS recently. For security they wanted me to use some weird app. I went to register for the app and it wanted all sorts of irrelevant personal info from me so I refused to do it and made them send it to me snail mail
Egress it was called
Having MFA on my own phone is a better solution than carrying two phones around in work hours for me.
If the company I worked for had a history of overstepping the mark in what they expected me to provide in order to do my job, or intruding outside of working hours, then I would demand a work phone.
just get a work phone.
Yeah but every single employee in the organisation having a works mobile phone for MFA? ours is a small organisation but still 4000 employees. £300 per phone = £1.2m for a device to be rarely used. It was only last year they were taken out as a cost saving as coms can now take place via teams
If was only for use during normal working hours I'd just use my personal phone. As has been said, I'd find have two mobiles a bigger pain.
I often work out of a secure room with no smart phones allowed but there is a separate workstation that I have limited email and Teams access on, only both of those need MFA so I have to run out the room to another area of the building and get my phone out of a locker, unlock and enter the code within 30 seconds. I'm sure there's a H&S element to this...
@FuzzWuzzy
in that situation, if the computers are in a secure environment, we would configure the conditional access policy to whitelist that location or those devices. you signing into the PC is one authentication, them being in a secure location is the other meth0d of authentication. to be honest, you having to run out of the secure room is probably less secure
had a little pager like device that gave the MFA code for 30 seconds when you asked it to.
Yeah, I still have an RSA token for one system but for this one they don't want the hassle/expense of managing physical tokens so only support authenticator apps
Just use the MFA on your phone. Being a dick at work makes you a dick, you colleagues will think you’re a dick and your managers too. Being petty over such trivial things will achieve nothing but make you miserable.
Maybe they have decided cheap (£100 max android) work phones for those that really don't want to just stick the details on their private phones is much cheaper than tokens for everyone. For MFA via authenticator I don't care unless they want to use the nasty mess that is Duo. If they started trying to say the device has to be registered, have a policy and capable of remote wipe then I have an issue and they can provide the device. Do you have the option of automated phone call or text message instead?
Doubt you'll get away with claiming tax relief in the phone.
It's not a big deal, install an authenticator app on your phone and link it up, when logging in you put the code in job done. It's not really something to make a mountain out of a mole hill over, depending what system they use it could also go to an email address. I'm also sure you'd rather this than your account be at the mercy of a breach and you losing your job over it? If you're that bothered just request a works phone and have fun carrying two mobile phones about with you.
install an authenticator app on your phone and link it up
Or if you don't want to use that, just configure it to send text to your phone number.
I'm happy to use an authenticator app, because I already have one installed for personal use, but they are other options.
Depending on how it's configured, text or phone call may not be enough, a recent update on our tenant prompted all staff that they had 3 more logins on text/call to setup authenticator, we didn't look into why as its definitely preferred
But seriously this is a bugbear I have too, sadly the last people I trust with my personal data are a combination of big tech and my work.
Neither have your personal data for an MFA code.
If it makes you feel better, my wife already has an NHS supplied mobile phone, she enrolled in MFA and is now locked out of everything because something didn't work properly. Every help desk she calls sends her to another help desk and nobody actually wants to fix it.
You think it's painful for you, I'm the primary NHSMail LA for 90 GP Practices...
Firstly, you only need MFA if you're accessing via Web, not Outlook, or configuring on a new device. Second, MS Authenticator on your personal mobile releases next to no info to us as Admins, just tells me you have the authenticator app set up, less even than you having to have your personal mobile number in your NHSMail profile for SMS auth (and you can hide that to make it invisible to local admins). I have both my works and personal mobile set up on my profile, so I can still get in on the days I forget the works one. I'm not worried about NHSMail/Accenture having access to my number, your mileage may vary.
If your office offer you a works mobile, go for it or ask if they'll provide a FIDO token, as they're the main viable alternative. As someone else suggested, your trust also have the option to create Security Groups and secure locations (ie HSCN, IP boundaries etc) where MFA won't be required. Likewise, if you have one, you can register for Smartcard access to NHSMail which doesn't require MFA via mobile as well - though you will still have to have MFA set up, you don't necessarily have to use it each time.
(Goes back to writing pretty much this exact statement in a way 4,500 Practice staff might be able to understand with the minimum of "What do we do / why do I have to / but what about..."-ery...)
I'm not understanding the problem here. 1. They are offering to provide you with a phone. 2. They are offering to let you use your own phone if you don't want to carry a work provided phone. In what way are they not providing you with the tools to do the job? Your response to that was baffling:
Yeah but every single employee in the organisation having a works mobile phone for MFA? ours is a small organisation but still 4000 employees.
4000 employees is not a small organisation, its 4000 potential data access leaks.
£300 per phone = £1.2m for a device to be rarely used.
But you are ignoring that most people will prefer to use their own phone for convenience, or are already heavy work phone users so have a device. On top of that an authenticator app will run on a £100 phone, especially with the buying power of the NHS if they were to be ordering 4000 devices.
The cost of a data breach is potentially way more than £1.2M; I can only assume its really the MFA you are objecting to rather than the idea of being provided with a phone to do it - worst case ransomware attacks locking down NHS networks not only cost a fortune but risk lives in an NHS setting.
The cost of a data breach is potentially way more than £1.2M; I can only assume its really the MFA you are objecting to rather than the idea of being provided with a phone to do it – worst case ransomware attacks locking down NHS networks not only cost a fortune but risk lives in an NHS setting.
Can I nick that for my comms piece?!
I often work out of a secure room with no smart phones allowed but there is a separate workstation that I have limited email and Teams access on, only both of those need MFA so I have to run out the room to another area of the building and get my phone out of a locker, unlock and enter the code within 30 seconds. I’m sure there’s a H&S element to this…
@FuzzyWuzzy - this is what Smartcard authentication to NHSMail was put in place for. We recommend it for clinical staff working in the local prison/secure units where they can't take mobiles and laptops.
On top of that an authenticator app will run on a £100 phone, especially with the buying power of the NHS if they were to be ordering 4000 devices.
NHS buying power?...They'll cost £800 each then and 'secured' with a ten year no-exit maintenance contract with the supplier! 🙂
. I’m sure there’s a H&S element to this…
Yes, it's being rolled out for us but I work in pathology (specifically bacteriology) where mobile phones are banned on h&S grounds.
Sounds like there's alternatives that or trust should be able to offer suggested above, but it trust haven't offered it, instead making us forego the mobile ban being then into the lab whilst we log into each PC for the first time.
It's not been well implemented tbh.
It doesn’t sound like it should affect me that much.
I duly downloaded the Microsoft app which did as told. Deleted the app after
Isnt using my work laptop on my home wifi or mobile hotspot more of a risk?
Isnt using my work laptop on my home wifi or mobile hotspot more of a risk?
Probably not. They'll have it well configured for security and may well be using a VPN to access the NHS stuff etc. The easiest way to get into any system is to get some muppet user to let you in - eg. by them giving you the password (e.g. giving it to a colleague so they can do something, using the same password multiple places, or by harvesting it in a phishing email).
if your work laptop signs in from an unusual location it could well prompt for MFA anyway
We have the ms authenticator app on our phone. I mean the alternative is an additional device (like a banking authenticator), which we have for something else and is a pain, and/or another phone. Why would you want extra devices, when you can just install an app on your personal phone?
Why would you put anything for work on your personal device?
I work in the healthcare sector and we had a similar thing. It's a lot easier using MFA on your personal phone (Google Authenticator app for me) than using a dongle or a works phone.
You literally have to scan a QR code once, it's not a big deal.
If you really feel the need to flounce about using a personal device for work then take up the offer of a work phone.
why would you make it harder for yourself? having to carry, and charge two devices or such like, or at least a smart card.. when the whole point of the exercise (MFA) is to make your life easier
I'm a firm believer in keeping work and personal separate. I wouldn't be carrying two devices around ( unless mobile working?) the work phone would sit by the device being used for email access and left at work
All of what Poly said.
Our trust is saying either get a work mobile
Surly we should be given the tools we need to do our job?
I must be missing something here. Is the trust saying you should buy a separate mobile and not offering to provide one? That's lunacy if so.
@tjagain you wouldn't be able to do that. you'd need to keep it safe or it defeats the point
if it was valid to leave the second form of authentication by the primary device you log in on, then as an admin, you make the primary device essentially whitelisted. then if that's the case you don't need MFA...
the second form of authentication needs to be kept as secure as the primary (your password, stuck in your head) so on a phone it would be password or biometrically secured
cross purposes. The work phone would be set up with whatever security the employer thought necessary. If its only used for MFA then it never needs to leave your desk if thats where you get emails. If the phone is not secure then thats up to the employer to secure it so yes the phone would be secure but zero need to carry it around and if its only used fror MFA then it would hold its charge for ages. Of course its differnt if you are mobile working but then what are you getting your emails on?
Cougar - "get a work phone" means get one from your employer
you may as well just put MFA directly on the device then, like biometrics or such like. But then you can't work remotely. or you disable access from any location that isn't the work PC/network. Which may not suit ever user so that's extra complex.
regardless, the OP works remotely at times so needs a form of MFA he can use in multiple locations.
SO, he either needs to carry a second device, be it a phone, smart card.. anything...
or add a simple a account on to an app he probably already has installed. it probably would take up a fraction of a megabyte of storage, and he would not be likely to forget to have it on his person and have to make embarrassing calls to IT to get access to do his job.
I literally deal with this attitude on a regular basis, i get the user access, tell them they have to set it up or they won't be working. If they have any issues with that they can discuss it with their line manager who can then arrange to order them an alternative solution at cost to the business
in my head, its not costing you anything, its making your life easier and your job safer. no company data is on your device, and none of your data is in the hands of the company
and regardless of your outlook on things, your line manager remembers when it comes round to pay reviews etc that you made a little drama out of nothing and wasted some of their time
I work for a council in IT and we have just implemented MFA and had all these arguments. Just add it t your personal phone and move on. Stop being picky as at the end of the day the highest likelihood of the NHS getting hacked will be due to user error or a mistake. Think of it as covering yourself. It's also bloody easy to use. If you don't have a smart phone then I get the argument but I would then say get with the programme of modern life. Having MFA on your phone is not the same as having work email on your phone. Give it a bit more time and MFA will be everywhere.
Cougar – “get a work phone” means get one from your employer
If that's the case then the OP is simultaneously arguing against being provided with a work device and not being provided with a work device?!
I genuinely don't understand the beef here. The employer has said they're implementing MFA - which is a good thing - and have offered the employees the option of either using an authenticator app on their own device or on a device the employer will provide. What's Option 3 here, "I don't want to use MFA"? Tough, if so.
I needed to have some stuff emailed to me at home from the NHS recently. For security they wanted me to use some weird app. I went to register for the app and it wanted all sorts of irrelevant personal info from me so I refused to do it and made them send it to me snail mail
Egress it was called
I use that. Secure web-based email with NHS people, which makes sense if discussing private medical stuff rather than having it going through Google/whoever's email servers.
Didn't need much I think, just your personal email address which becomes your Egress user ID. Nothing else in the profile was mandatory I don't think.
Currently going through this. All work PCs use a webmail link. I work in a lead lined department with a number of Faraday cages. No mobile signal. 15000 employees and not enough money for paper roll for the couch. Work phone lol.
@ultrasound you don't generally need a signal for MFA. Before phones you used to get a keyfob device with a button and LCD display. That didn't use WiFi or 4G.
Why would you put anything for work on your personal device?
So I can log in? Like literally, verify which one of the selection is the the number on the screen. That's it.
Of course its differnt if you are mobile working but then what are you getting your emails on?
The laptop I'm trying to sign in to!
I have no need and no desire to lug around another bit of tech, especially for the sake of a 179mb app (which I already use anyway). That's literally the only thing work need me to use a personal device for other than the vanishingly small chance they'll contact me out of hours which I'd be getting OT for anyway.
Whenever one of these conversations come up, I'm amazed it's not a normal part of the rollout to have the option of a keyfob device that's compatable with the MFA being used. It's not uncommon for there to be a number of poeple in any one group who can't / won't put anything on their own phone. They're not expensive (certainly a lot less than a £400 smartphone just to run a number generating app).
As for leaving the device at work, that drastically reduces the security, the point of MFA is to reasonably confidently say that whoever is signing in has access to "Something you have". If you were given a physical key to something you were to have access to at work, would it be a gross imposition to be expected to take that key home when you weren't at work? I certainly doubt that many people would think it reasonable just to leave keys on their desk at the end of the day. (Yes, I get that keysafes exist, but again that means that "This was opened by the key that only you should have" becomes "This was opened by one of the many people who have access to the keysafe".)
Whenever one of these conversations come up, I’m amazed it’s not a normal part of the rollout to have the option of a keyfob device that’s compatable with the MFA being used.
We have the option of FIDO tokens. But we (the NHS Trusts) would have to buy them/pay the subscription cost for them, which is not financially viable when there's a way which doesn't cost anyone anything - users adding an account to a very small app which they might already be using for other things already in a personal device, rather than more taxpayer* money going on paying for tokens or mobiles for all staff. The NHS are in the shit financially, it can do without that in the budget no matter what staff think...
The other thing non-NHS commenters might be missing in here: This is not a policy the OP's employer are enforcing, this is a change NHS England/NHSMail are forcing on all NHS organisations who use the central tenant. We don't get a say in the matter if we want to keep our email system. Employing organisations are also copping the shitty end of the stick, stuck between an enforced policy change from above and shirty users from below. We've had mandatory MFA on our organisation (an office of an ICB) for two years, but our GP Practices have refused - we've got a few who've lost quite a lot of money in cyber fraud but wouldn't make it essential for all staff. That decision is now being taken out of our, and their, hands.
I'm not saying folks don't have a right to say "I don't want to use my personal mobile", but my harsh thought would then be that "you're wanting to cost me an extra £x per year so **** it, it's cheaper for me just to revoke your access to email."
Also for the non-NHS commenters: not all 'NHS' organisations use NHSMail - it's not mandatory but it has certain advantages (and disadvantages). It was, for a long time, the only accredited Secure email system for the transfer of patient data: where government had GSI, GCSX, we had NHS.net. It's still the most used Secure email system because the alternative is costly accreditation of a Trust's own hosted email server and domain.
* Don't get me started on NHS funding...
Jamze
Egress wanted all sorts of personal info from me. The sort of stuff i am not going to give a commercial outfit.
Maybe different as i am outside the mhs now?
Address. Personal email ni number phone number. 3 pages of personal data and no way of revoking permission to use it
My employer enforced MFA access on me so I just installed the Auth app on my work laptop 😄
I have no idea whether that defeats the objective but it's worked for me for the last two+ years.
I’ve had the same mobile number for 20 years- each time I move employer I port the number to them and they pay my bills. When I leave I take the number back. Saves the two phone situation.
@toby - innevitably security keys/dongles/devices will be left lying on desks, in the drawer under computers, taped to the monitor etc and probably shared between the users who share one password and account too! Not uncommon to see computers with a postit note with the password on it and in NHS security of drug cabinets is often not as good as the written procedure says either. One advantage of a phone is people appreciate it has Value so don’t leave it lying around, and if it’s their own phone are probably likely to be precious about lending it out too.
@ultrasound - the Authenticator apps on phones operate fine with no signal. Presumably not all 15000 people work inside a faraday cage though so even if a small number of users have a genuine concern about phones (eg those in a microbiology lab) the number who need a paid product is far fewer.
@vlad - I don’t think that defeats the purpose, unless you lend the laptop to people or it gets stolen.
Hang on, I am (probably correctly) assuming that this does not apply when logging in from a trusted site. E.G the hospital where you work
So you are either logging in from a trust laptop remotely or accessing NHS mail from a personal device. In which case MFA is perfectly reasonable and sensible. <br /><br />so the option three would appear to be, go into work
innevitably security keys/dongles/devices will be left lying on desks, in the drawer under computers, taped to the monitor etc and probably shared between the users who share one password and account too! Not uncommon to see computers with a postit note with the password on it
Very true this - and its NHS IT security policies that lead to this
I had 3 passwords for different NHS IT stuff. None of them allowed a phrase that was easy to remember, each had different rules as to what was acceptable, each password had a different lifespan until you had to renew it and you couldn't just change a number because if it was too close to the last one it would be refused. This makes it almost impossible to remember your passwords so all were written down
work out of a secure room with no smart phones allowed but there is a separate workstation that I have limited email and Teams access on, only both of those need MFA
No need, contact IT support, tell them the issue, and either get them to remove the need for MFA on that station (because you can't), or organise it so that you can use your smart card (if you have one) or get them to install Outlook on it and get NHS mail that way. problem solved (or made some-one else's)
or get them to install Outlook on it and get NHS mail that way.<br /><br />
That’s how I access nhs mail, but was still told that eventually will not work and MS Teams
Anyhow - don’t download the app and then delete it once you have setup MFA.
When I tried to reinstall the app to my phone it won’t let me login and says look at the app for a code only I can’t because I’m trying to setup the app 😂
Apparently you can verify the app using a QR code from NHS mail, except the only way to access that QR code is via NHS Mail for the web, which requires the app to access 🤔
Think my next approach will be to receive a text message rather than use the app if the IT dept can’t sort out my access again
This makes it almost impossible to remember your passwords so all were written down
Yep it’s ridiculous I use notes in Outllook to record multiple passwords for multiple systems. The passwords have to be that obscure you have no chance of remembering them
There's not really an excuse not to use a password manager/vault these days (vs writing passwords on paper or in Notes etc.), apart from a few niche cases (where you can't take electronic devices into an area you need to use passwords in, such as a secure data centre).
Call me naïve but when my employer offered me a company mobile 20+ years ago I happily said yes and cancelled my personal phone contract - haven't had my own phone since (apart from a brief stint with an emergency phone for MTBing as didn't want to risk trashing the company phone). I'm allowed to use it for personal text/calls/data but in reality it's connected to WiFi 95% of the time so WiFi calling etc. means it's not adding to any phone bill. If I was going abroad I'd just get a SIM/eSIM for that country and switch to it when out there. The only slight issue I've created for myself is when the company transitioned to iPhones it was my first Apple device so I used my work email to create the account, then when I later bought a personal iPad I just used the same account so now all my personal apps are under my company ID which will be a pain to sort if I quit/retire...
I get some people being concerned about snooping etc. if you're mixing work stuff on personal devices but an authenticator app is pretty benign in that context. They're also useful for personal use (if you're doing MFA for personal stuff via SMS or email codes then that's not considered secure these days, you should switch them to using an authenticator app if it's supported).
As for those who've suggested requesting conditional access etc. be set-up for my situation trying to use MFA in a secure environment, good shout I'll ask if that's an option. Although might be more complicated as I connect from the physical desktop to an RDS farm (that's also used by people VPNing in etc. when WFH) to access unclassified email/Teams so unless my origin location can be preserved they'd probably need to set up dedicated a RDS server(s) to disable MFA requirements on and I can't see them going to that much hassle.
The passwords have to be that obscure you have no chance of remembering them
They really don't. Long compound word passwords with some special characters/numbers are just as strong. Use a pattern like 'colour-place!animal(numerals)'. Much easier to remember as you don't remember words more easily.
Yep it’s ridiculous I use notes in Outllook to record multiple passwords for multiple systems
That is extremely insecure. Sticky notes on your monitor would be better! Get a password manager, there are free ones that sync between devices.
nixie - the point is that the rules used for passwords make it almost impossible to remember them especially when you have 3 different ones and all have to be changed regularly and at different intervals. Over a year I would have had to remember at least 9 different ones
then password manager on your phone, authenticator app might even offer that function too IIRC.........
I understand want the point is TJ, the patterns help with the memory. Even using the same password for each system with the system name added to it's end (for uniqueness) would make them memorable.
The frequent changes I think has been proven to decrease security as is just annoying. Pretty sure it's not best practice anymore.
Even using the same password for each system with the system name added to it’s end (for uniqueness) would make them memorable.
Not acceptable under the rules. Nor could you make minor changes to the passwords at each renewal
it was something like ( and different for each system) 12 characters including one capital and 2 special. A password that would fit the rules for one would not fit the rules for another and at each password change yo had to create a completely new one - not allowed to modify the one you had. this was relaxed after a while because IT were fed up of having to do resets every time someone logged on.
However the password rules made it very difficult to remember passwords
Get a password manager, there are free ones that sync between devices.
Impossible on an NSH device (with avg IT skills) we are blocked from downloading anything, and even when you go to IT they say no
Very true this – and its NHS IT security policies that lead to this
I had 3 passwords for different NHS IT stuff. None of them allowed a phrase that was easy to remember, each had different rules as to what was acceptable, each password had a different lifespan until you had to renew it and you couldn’t just change a number because if it was too close to the last one it would be refused. This makes it almost impossible to remember your passwords so all were written down
Which is why the world has moved on to a single secure password and MFA.
That is extremely insecure. Sticky notes on your monitor would be better! Get a password manager, there are free ones that sync between devices.
If Outlook is locked behind the same MFA and password as your login, why?
Impossible on an NSH device (with avg IT skills) we are blocked from downloading anything, and even when you go to IT they say no
For a while, NHSMail used to specifically prohibit it, was never sure why. But - whoever told you it would apply to Outlook has the wrong end of the stick. MFA only applies when you're accessing stuff on the Tenant (NHSMail/Teams/Office apps) from a web browser, or setting Outlook up on a new device for the first time. It won't apply each time you log into Outlook on the same PC/laptop.
For those whinging about password policies, NHSMail is one of the more sensible ones: Minimum length of 10 characters, without requiring a mix of character types or cases. Not matching your previous four passwords. Not detected as a common password (password123, winter2021 etc), and only has to be changed annually.
They've also published the 'Security Groups' guidance that will allow Trusts to set specified secure locations/conditional access by IP boundary where MFA isn't required. MFA will still have to be set up on the account, but inside that boundary it won't be actively used.
We have the option of FIDO tokens. But we (the NHS Trusts) would have to buy them/pay the subscription cost for them, which is not financially viable when there’s a way which doesn’t cost anyone anything
Fair enough, but I wasn't talking about having a whole extra system, just the tokens that go on a keyring and give you a number when you press a button. As I understand them, they're doing the same function as phone-based authenticator apps, maths based on the current time + a secret number, you just need to initialise them slightly differently for users with one. They seem to cost about a tenner rather than the £400 that someone seems to be threatening to spend to give the OP a smartphone that will do nothing other than run Google Authenticator. Surely it should be expected that 1-5% of a given population will use a (non-smart) phone / have a windows Phone / get shirty about being asked to install something like this?
I had 3 passwords for different NHS IT stuff. None of them allowed a phrase that was easy to remember, each had different rules as to what was acceptable, each password had a different lifespan until you had to renew it and you couldn’t just change a number because if it was too close to the last one it would be refused.
Yeah, that is particularly bad, much of that is now regarded as bad practice by many people. Thankfully, I slowly see better ways of evaluating password "strength" gaining traction in the IT world. However a lot of places seem wedded to prescriptive rules that in theory make passwords easier to crack (If I need to work my way through all 20-character strings, it's a lot quicker if I can eliminate a high percentage that don't match the given rules. Also "Generate random password" functions in password managers don't generally offer passwords to match the rules given. Balanced with that, though, is stopping people using "Password1").
My questions do remain though that if you were given, say, a key for a filing cabinet full of patient records, would you a. regard it as such an imposition to be expected to keep it with you and take it home? And b. Also regard it as acceptable to just leave it on your desk when you went home?
Very true this – and its NHS IT security policies that lead to this
The NHS doesn't pay IT teams well enough to get people who genuinely are passionate about frictionless security, and have both the technical skills to do it and the people skills to achieve it in an organisation of that scale! Everytime we hear complaints about too many managers costing too much money etc - what we are doing is saying, make the clinical teams jobs harder by having fewer or poorer non clinicians who fall into tick box culture.
I had 3 passwords for different NHS IT stuff. None of them allowed a phrase that was easy to remember, e.g.
I bet they did with a little imagination!
10GBHoaW&i1SAF!
Would be accepted on almost any password rules but is easy to remember - because its a line from a song/nursery rhyme:
TEN Green Bottles Hanging on a Wall AND if ONE Should Accidentally Fall !
each had different rules as to what was acceptable, each password had a different lifespan until you had to renew it and you couldn’t just change a number because if it was too close to the last one it would be refused.
This last point is interesting, because it implied that they know your password not just the hash of your password which is basically security rule 1. I'm not saying it doesn't happen. I have to deal with a system that won't let me recycle passwords (i.e. they keep the old hashes and compare them) but not similarity. Of course simply going Pa$$w0rd1, Pa$$w0rd2, Pa$$w0rd3... etc is shit security. Personally I'd have seen it as a challenge to work out how to bypass such an automated tool. e.g. Pa$$w0rd_ONE, Pa$$w0rd_TWO,... or Pa$$w0rd_OCT, Pa$$w0rd_NOV, etc
This makes it almost impossible to remember your passwords so all were written down
Of course you don't want to use the same password everywhere - but you can extend: 10GBHoaW&i1SAF! to become:
EM+10GBHoaW&i1SAF!
DB+10GBHoaW&i1SAF!
SY+10GBHoaW&i1SAF!
For email, database and system respectively. That's not ideal, because if you crack one you can start to guess others - but lets be clear 99% of hacking is not based on intelligence like that. I use an approach like that (but marginally more complex) for most websites etc - and essentially "know" hundreds of passwords. Only very rarely will I encounter a system that has a stupid rule like "&" is not permitted in passwords or max 8 characters. I have 2FA turned on anywhere that lets me too.
Fair enough, but I wasn’t talking about having a whole extra system, just the tokens that go on a keyring and give you a number when you press a button. As I understand them, they’re doing the same function as phone-based authenticator apps, maths based on the current time + a secret number, you just need to initialise them slightly differently for users with one.
Those are RSA tokens (or similar) - can't be used on the modern systems, they're quite an old tech. The mobile Authenticator apps aren't necessarily just a code generator like that any more, they're a live system - hence we get into the debate of what needs signal to work etc. The only viable alternative NHSMail accept is FIDO2 (plug-in USB type tokens), but there's issues with those - mainly another security policy of USB ports being locked down etc.
Those are RSA tokens (or similar) – can’t be used on the modern systems, they’re quite an old tech. The mobile Authenticator apps aren’t necessarily just a code generator like that any more, they’re a live system
Ah, fair enough. I'll admit my looking into it has been a bit superficail, but some pages selling physical tokens were at least heavily implying they did the same as the likes of Google Authenticator app. And yes, I get there are other processes to do MFA on a mobile, but as you say, they then have their own set of problems.
I remember the fun of trying to log into PayPal while staying with a friend in an area with poor signal. The SMS was only valid for something like a minute so I had to click the request, sprint to the top of his drive until my phone bleeped and then sprint back to the kitchen table where the computer was, generally to be told it had expired. Thankfully the implimentations seem to be more sane these days.
My questions do remain though that if you were given, say, a key for a filing cabinet full of patient records, would you a. regard it as such an imposition to be expected to keep it with you and take it home? And b. Also regard it as acceptable to just leave it on your desk when you went home?
We would never be allowed to take it home. Gross security breech
some pages selling physical tokens were at least heavily implying they did the same as the likes of Google Authenticator app.
OK, I had another look, and this definitely says it does RFC 6238 TOTP codes, which I'm pretty sure is what the likes of GA does.
https://www.microcosm.co.uk/order/product.php?ProductID=387
So, if you're using a GA-like code generation app for MFA, you should just be able to give any employee who can't / won't use GA on their own device one of these at a lot less than a work-smartphone dedicated to the job. Yes, you need a means to get a common key between their login record and the device you give them, but it's still a lot less than giving them a smartphone, surely?
I realise that the if in that above is doing some heavy lifting, but it must be one of the most commonly used MFA methods, and surely it should be a consideration when choosing an MFA method.
OK, I had another look, and this definitely says it does RFC 6238 TOTP codes, which I’m pretty sure is what the likes of GA does.
Regardless of what they do, they're not an approved method on the NHSMail tenant
(If you're reading up on what's approved and what isn't, the whole policy is publicly available (I think) at
)
Only very rarely will I encounter a system that has a stupid rule like “&” is not permitted in passwords or max 8 characters.
All 3 of mine had rules like that but all different.
If Outlook is locked behind the same MFA and password as your login, why?
Because passwords should not be stored anywhere in plain text. You have not idea how that data is stored behind the scenes. I'm note 100% sure for O365 however past versions had a local copy of the mailbox including notes that is insecure. Passwords should be hashed (one way operation) or encrypted using a suitable strong encryption method.
Only very rarely will I encounter a system that has a stupid rule like “&” is not permitted in passwords or max 8 characters.
Or no ; " ' etc which IIRC harks back to SQL injection attacks! Absolutely no reason not to allow any of these values in passwords as the actual character never* makes it to any form of persisted storage.
* shouldn't
Regardless of what they do, they’re not an approved method on the NHSMail tenant
(If you’re reading up on what’s approved and what isn’t, the whole policy is publicly available (I think) at
Fair enough. The fact that document says that the MS Authenticator doesn't need an internet connection suggests to me it's very similar in nature if not the same as the Google authenticator (which I can find confirmation of the actual process it uses). My point still stands whether the restriction is technical or policy based that a minority of employees can't / won't install something on their own phone, which should have been forseen. In an organisation the size of the NHS it strikes me as poor policy if the fallback position is to buy a £400 smartphone when a £10-£15 keyring would do the same job.
In an organisation the size of the NHS ...
This is probably part of the issue! "The NHS" is not one single cohesive organisation, no matter what people think: It's lots of small ones that fight with each other all the time. There are very few 'whole NHS' policies - this MFA policy is being chucked in place by NHSMail themselves, but it's up to each individual organisation as to how they sort themselves out. My particular office (450 staff), no-one has ever objected to having the Authenticator app on their mobile, but our view is that it's up to them and their Line Manager to decide whether they request a works mobile, and up to their individual team to fund that mobile if necessary. We have a budget cap of £150 per mobile, probably half the staff have works mobiles, but had them before MFA was enforced: No-one has ever had one issued solely for MFA. But I also support 4,000 staff over 90 GP Practices, we don't supply their mobiles at all, it's up to each Practice as an individual business as to how they do this for their staff. We're advising that if they want FIDO tokens, they will have to fund them for themselves (though probably bought through my team for the technical management and support).
And agree that your point stands, but it's also moot: If an RSA token won't work technically on a platform with 1.7 million users, then there's no point saying "but it does the same job..." People's objections probably were foreseen, but on a platform of ~1.7 million users, that doesn't mean a security policy should be changed to account for a minority who also probably won't be happy whatever you do.
Policy as per that doc is that one mobile method has to be in place, then you can add Smartcard or FIDO token, it's up to the user and their individual organisation/line manager as to how they have that mobile method.
I think one of the issues with NHS IT is the gulf between the users and the IT professionals. What seems straightforward logical and normal to the IT folk is confusing to many of the users. There literally were some staff on my team who had never used a computer or smartphone