You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
@tjagain, is spot on. What might be logical and easy for some-one with IT experience is much less so for say; a Practice Nurse who's nearing retirement and has only just got to grips with following templates to input patient data (one of my staff). Start those guys off with needing MFA and you're onto a loser. But again, this isn't an individual's issue to solve, and again @tjagain is right here, just becasue an organisation has deemed MFA as the way forward does not automatically mean that individual workers can comply with it. If they can't, for whatever reason, then the organisation needs to come up with an alternative that the employee can use to do their job, not the other way around.
I think one of the issues with NHS IT is the gulf between the users and the IT professionals. What seems straightforward logical and normal to the IT folk is confusing to many of the users. There literally were some staff on my team who had never used a computer or smartphone
(Slightly playing Devil's Advocate and possibly being a little antagonistic with you here, TJ, but meant a little tongue-in-cheek...)
You know that comment you (I think) made about "being given the tools you need to perform the job" ? These systems are tools you need to perform the job these days. It's not that they're all straightforward and logical to 'us IT folks' - the various Clinical Record Systems confuse the hell out of me - but these aren't things that you can avoid any more. It's part of each individual's job to be able to use the necessary systems and tools for that job, whether that tool is a hospital bed with 100 different position buttons, or a PAS/Prescribing/Clinical system unit on a PC.
I have regular arguments with the older nurses in our Continuing Healthcare team, and while I sympathise that they didn't grow up using computers like I did, and it's not the whole of their job, there's no excuse for not keeping up with the use of an essential tool for your job. I can provide as many training materials as you like, but if the end user shrugs their shoulders and goes "I don't really do computers..." with a smug grin on their face, there's nothing I can do to help them
Because passwords should not be stored anywhere in plain text. You have not idea how that data is stored behind the scenes. I’m note 100% sure for O365 however past versions had a local copy of the mailbox including notes that is insecure. Passwords should be hashed (one way operation) or encrypted using a suitable strong encryption method.
I get that but without a decent manager it's the only real solution I have. Why Windows doesn't have Authenticator built in (or at least the password manager function) I have no idea, Apple have had it for years.
The only viable alternative NHSMail accept is FIDO2 (plug-in USB type tokens), but there’s issues with those – mainly another security policy of USB ports being locked down etc.
What about whitelisting certain device types?
Windows does send authentication requests, and edge does have a password manager built in
At the risk of antagonising loads of people but really not intended to. @pyro is correct. Simply saying “I’m not IT literate” is not an excuse for not being able to use a computer these days, as they are an essential part of modern workplaces.
Pyro
It wasn't me that made that comment I don't think
The issue is not so much the "refusniks" like you describe - its the gulf in comprehension. IT folk simply cannot understand that what seems logical normal and straightforward to them is not to users. The users cannot understand why it has to be done in this awkward manner. The two sides lack enough common ground to even understand each other
the various Clinical Record Systems confuse the hell out of me
Yup - works both ways. Some of the stuff I used this was so obvious that the Medical staff advising the IT staff had not managed to make it clear4 what the need was. Like they were talking two different languages
Windows does send authentication requests, and edge does have a password manager built in
I never said either of those things weren't the case but they're also nothing to do with what I said.
Besides which, browser password managers aren't much more secure than Outlook notes if the machine itself is compromised.
Even a lot of IT folk struggle.
It's mostly accepted now, but we had the MFA arguments and refusals several years ago. Me too, but in my defense, sms was the only option then, and that involved a 500m walk for me.
Even now, we're having to argue why people should be using hardware keys for their MFA, and struggling to get buy in and adoption.
So yeah, I have some sympathy for non IT professionals.
The machine potentially needs MFA to access, the contents of the file are on a bitlocker encrypted drive.
The edge account cant be accessed elsewhere without MFA also potentially.
I guess you could argue the same with having it in Outlook somewhere.
we do distribute a password manager here as it satisfies our compliance rather than the edge stored stuff
And what TJ said
as an IT admin it is frustrating.. i see it as helping the staff and business and its no big ask, yet sometimes the attitude is, well i need a work device then......And in my work, people who receive a work phone can take use it as a perk (i haven't had a personal phone in forever) and that may also be seen as benefit when it's salary review time.
IT folk simply cannot understand that what seems logical normal and straightforward to them is not to users. The users cannot understand why it has to be done in this awkward manner. The two sides lack enough common ground to even understand each other
I sort-of agree with you, TJ. A good percentage of my job is trying to translate the technical side into plain English for our non-IT Senior Management Team, and I understand why others don't have the same IT skillset I do, same as I don't have the nursing skillset that the people I argue with do. I sometimes wonder if it's because non-IT users think we're doing this stuff just to antagonise them*.
And not everything we do in IT is logical and straightforward. Some things are as convoluted as hell, but it's even harder to explain to a non-IT users that sometimes the reason we do this this way is because that's the way we have to do it. There's no point me getting into the technical logic because they wouldn't understand and don't really need to, but it's the same as a parent saying "because I said so" to a teenager - some might be accepting, some will be belligerent. Applying your "the users cannot understand why it has to be done in this awkward manner" to this particular MFA issue, the problem is that 'it has to be done this way because NHSMail have said it has to'. There's little point a user arguing with me that they don't like it/can't understand it/don't want to do it, I'm just applying a policy that's been passed down from above.
*We're not, just for the avoidance of doubt.
well i need a work device then
Hand over a FIDO key and get going (price about £25 a user for large purchasers like the NHS).
As an aside my personal phone is mine and will not be used for work regularly (to help me out very occassionally yes). Would those advocating personal phone use for work also allow their bikes or cars to be used un-recompensed?
@tjagain, is spot on. What might be logical and easy for some-one with IT experience is much less so for say; a Practice Nurse who’s nearing retirement and has only just got to grips with following templates to input patient data (one of my staff). Start those guys off with needing MFA and you’re onto a loser.
MFA does not need to be complicated. If its complicated enough to be a problem for someone who has managed to learn to stick needles in someone then its being taught/demo'd/rolled out wrong. A more extreme view would be that anyone who is so technphobic to use the systems and tools provided, with the training a typical user needs - then maybe they no longer have the competence needed for 21st century nursing.
But again, this isn’t an individual’s issue to solve, and again @tjagain is right here, just because an organisation has deemed MFA as the way forward does not automatically mean that individual workers can comply with it. If they can’t, for whatever reason, then the organisation needs to come up with an alternative that the employee can use to do their job, not the other way around.
But I don't think anyone has described a situation where a typical worker cannot comply? There will be specific departments like a microbio lab where phones are never permitted where a solution will be required. 90% of people who find a reason why they are special - will infact be making an excuse because they don't want change.
So it turns out our IT Dept dont fully understand the MFA. I've have 3 versions of the truth today.
Ive now scrapped the MFA app and will just receive text messages for the authentication.
How do they know my phone password is robust enough to stop spies accessing it? I always set my phone password to 0000 which I am sure someone could work out.
@FunkyDunc - they don't need to know that your passcode is strong enough. There being a passcode on the phone means that it's encrypted at rest properly, so if you phone's nicked someone can't just pull any data off it without unlocking it. That you choose a poor passcode is your own lookout!
@Sandwich - re: "Would those advocating personal phone use for work also allow their bikes or cars to be used un-recompensed?" - that's a false equivalence. There is no cost to me for having MFA on my personal mobile - having the app costs me nothing, downloading it over works guest WiFi costs me nothing, receiving a code via the app costs me nothing, receiving a code by SMS costs me nothing. I don't have to have specific business mobile insurance, there is no wear and tear on my mobile from work usage, I can charge it at my desk so there's no fuel cost. What is there to recompense?
I don't have my works email on my mobile, I don't use it for works messaging or calls (we have Webex and Teams for those), but I have no problem with having my MFA on my personal mobile.
But I don’t think anyone has described a situation where a typical worker cannot comply?
I think @FunkyDunc has said that he cannot have his phone (with the MFA) near his work-station that has access to his email. But I see it from both the sides that @Pyro and @tjagain are saying. I've just been through some training on booking remote blood tests, just finding and choosing drop-downs can cause confusion for folks that aren't tech savvy or are genuinely scared that they'll do something that will cause it to break, or loose info. It's very much akin to a phobia for some folks.
Pyro - as regards the usage of a personal phone for this - IMO its blurring the line between work and home and making it so that you need your personal phone to work. Its an ethical / boundary issue for me whilst its a practical issue for you. Just a different way of looking at things
I always kept a total wall between work and personal - never mixing the two at all
I always kept a total wall between work and personal – never mixing the two at all
That's absolute fair, and its practically no different from some-one saying "I don't have a smart phone" If the problem was that, IT folks wold find a solution, so it should be the same for folks who don't want to use their personal kit for work.
I always kept a total wall between work and personal – never mixing the two at all
And this is where this thread started for me.
I've had pressure before to join whats app groups for work and refused.
It will however be interesting in some areas where we have no mobile phone reception and i need to logon to the NHS network.
I think @FunkyDunc has said that he cannot have his phone (with the MFA) near his work-station that has access to his email.
No I can, its just the principle of having to use my own personal device to do a work task. As I said originally will be an interesting test to do a tax return and put my mobile phone cost down as a business expense.
i would imagine given the choice
a- here's this gizmo, you must remember to bring it with you every day you work, if you lose it or leave it at home you cannot work without an awkward convo with an IT department. Also, when you aren't working you must leave this device somewhere safe where you don't lose it or forget it the next time you work. granted it could be on your keyring, but then aren't work imposing by not providing you a separate keyring?
b-use the thing that's in your pocket everyday and will not lose it because its yours, its your pride and joy , a lifeline, and more important to you than something your work gave you which is an inconvenience to take everywhere in case oyu need it.
There being a passcode on the phone means that it’s encrypted at rest properly, so if you phone’s nicked someone can’t just pull any data off it without unlocking it.
Not if you're using SMS for MFA - if I have your phone all I need to do is pop the sim card out and into a cheap feaure phone. I can then read any SMS intended for you. If I'm good at blagging (and lucky), I just ring 02, tell them I'm you and I want a PUC code, shortly afterwards SMSs sent to your number come through to the PAYG phone sat on my desk I bought from the corner shop with broken CCTV this morning.
Some of the many reasons that SMS isn't a good form of MFA.
this is true, but actually gaining access to your phone in itself is one form of authentication if you like
in reality the culprit needs to know your password and steal your phone, only likely to happen in a breaking and entry situation or a colleague up to no good. Although most (Men at least) people don't tend to go away from their desk without their phone at least most of the time
Without MFA all a bad guy needs is your password, anywhere any when...
As an aside my personal phone is mine and will not be used for work regularly (to help me out very occassionally yes). Would those advocating personal phone use for work also allow their bikes or cars to be used un-recompensed?
Have you ever had work provide you with a car or bike, somewhere to store it and full costs of ownership?
If you have where do you work?
Pyro – as regards the usage of a personal phone for this – IMO its blurring the line between work and home and making it so that you need your personal phone to work. Its an ethical / boundary issue for me whilst its a practical issue for you. Just a different way of looking at things
I always kept a total wall between work and personal – never mixing the two at all
Likewise, if you couldn't walk to work did you demand that they provided you with transport? I mean, you wouldn't want to use your own bike for commuting on would you?
its practically no different from some-one saying “I don’t have a smart phone” If the problem was that, IT folks wold find a solution,
They did. SMS doesn't require a Smart phone... 😉
Have you ever had work provide you with a car or bike, somewhere to store it and full costs of ownership?
Yes - most NHS community nurses are provided a car at zero cost to them. I had one for the few months I did this. You cannot use it for personal use obviously. I cycled to work, picked up the car and worked all day, dropped the car off at the end of my shift
Responding to both TJ and FunkyDunc
And this [separation of work and life] is where this thread started for me.
I’ve had pressure before to join whats app groups for work and refused.
I'm with you on that. I wouldn't join a work WhatsApp. I'm not friendly enough with or interested enough in my colleagues for that to be somewhere I'd go! And I completely understand wanting a hard division, but - maybe because I have a different understanding of the technical side - I don't see having my MFA on my personal mobile as breaching that division.
It's more convenient for me to have a single device, rather than have to carry a second one around because it's not appropriate to leave a works phone on my desk. No-one can contact me through my personal mobile, I've not given the number out to anyone, I've not breached or compromised my own privacy by having my MFA there. I use Outlook on my works laptop, or have Smartcard access to NHSMail if I need it, so the times I have to use MFA are very minimal. On the basis of that, I'd feel like a right bellend if I forced the organisation to buy me a works mobile just because I objected to using my personal one to receive an SMS once in a blue moon.
And assuming I stay in the NHS, if I move organisations my NHSMail account comes with me, so I don't have the hassle of getting a new works number, having to move my MFA to a new phone etc.
I guess I understand the ethical division, I just don't necessarily agree with the application of it completely. There's multiple ways to skin a cat, and I feel like I'm going for the one that involves the least amount of me getting scratched, while I and other IT colleagues also work on an appropriate sedative for the b'stard thing...
Likewise, if you couldn’t walk to work did you demand that they provided you with transport? I mean, you wouldn’t want to use your own bike for commuting on would you?
Commuting is not work in works time nor their responsibility. Not an analogous position at all.
Commuting is not work in works time nor their responsibility. Not an analogous position at all.
No, because in this case you're using your own phone at absolutely no detriment to yourself.
I get arguments about work/life balance and a right to disconnect, I'll support any and every initiative that supports that. Installing an authenticator app is not that. Your argument is more analogous to being issued a site pass that you're expected to keep safe and then demanding the company provides a safe to keep it in outside of your house.
Would those advocating personal phone use for work also allow their bikes or cars to be used un-recompensed?” – that’s a false equivalence.
It really isn't, smartphone batteries have a finite life and virtually no resale value, they cost money to run. It may not be much weekly compared to the depreciation on a reasonably good car but it's a cost. I work to live not the other way round.
Like many on this thread, I just don't really understand the belligerence to using your phone for MFA - if it's appropriate. If you are working in spaces where you can't take your phone or it's not accessible, then the MFA programme should have done their job properly to provide an alternative such as a YubiKey (other security devices are available) or something like an infiniband if the workplace doesn't like things that look like USB drives. People that cite "not wanting work to have access to my data" is just ignorance and are using to try and justify them not installing an app. As toby mentioned - you should not be using SMS at all. Sure, it's slightly better than not having any MFA at all, but barely. I believe there are at least a couple of Govt departments that have banned SMS following one or more incidents with SMS last year. It's fundamentally about increasing security and making it harder for your account to be hacked. I wonder, of the people against it, how they would feel if their company got compromised via their account because they refused to accept MFA? I know that their account compromise wouldn't be the sole reason the company got compromised / hacked / ransomwared and that IT would have a lot of questions to answer but by refusing MFA you are creating an opportunity that can be removed.
bikingcatastrophe - for me its two issues - the hard cutoff between work and home and that work should provide what you need to work
Work is work, personal is personal and never mix the two
How do they know my phone password is robust enough to stop spies accessing it? I always set my phone password to 0000 which I am sure someone could work out.
The point of 2FA/MFA is not to make it impossible for someone to find a way into a system - just to make it much less likely. There are two types of common "misuse" that IT are trying to mitigate:
- someone you know, who you have told your password to or who knows you enough to guess your password, who then for malicious reasons accesses the system and is purporting to be you.
- someone you don't know who is probably on the otherside of the world, who either brute force hacks your password (but they should be able to mitigate that), tricks you into revealing your password (e.g. a phishing attack), or has got hold of a password list from somewhere else with shonky security and you use the same password "everywhere".
The latter one is much more common and much higher risk. Phishing attacks are becoming every harder to spot (to the extent I've reported a few false positive from companies that should know better!).
The idea of MFA is to prove your identity you provide (1) something you know (your password) and (2) something you own (the code from the authentication).
It can virtually eliminate the risk from the second type of attack. The former relies a bit more on you (a) not telling people your password; (b) not leaving your phone lying around unlocked/near people who know its code/can guess its code. If that happens the impact is likely much less, and as it will appear YOU are responsible will be more painful for you than them!
The problem with tokens (I know this from experience) is that they are a pain in the arse to manage. Yes they are cheap but are surprisingly hard to get hold of in large numbers, people lose them all the time and the only people that can add and administer then in Active Directory are the highest level admins. We only have two of those in an organisation of 5000 and they are the ones with complete god power so they are busy enough doing other things then administering tokens.
When it comes to MFA via SMS and telephone call, many suppliers are not deeming this secure enough. Salesforce for instance only allows a token or an authenticator app.
Dishing out smartphones isn't just about the cost it is also about keeping them updated with the latest OS and having to carry around two phones, one just for the authenticator) is a pain in the arse.
The easiest thing is to use the biometrics on a laptop like the finger print sensor or Windows Hello, but that potentially means a roll out of new laptops.
If you have a personal then I see no reason why you shouldn't be forced to use it. I don't charge my employer for the chair or desk I use when working from home or the pens and notebooks I use. Life is too short and work is a two way thing, its not just about taking from your employer.
smartphone batteries have a finite life and virtually no resale value, they cost money to run. It may not be much weekly compared to the depreciation on a reasonably good car but it’s a cost. I work to live not the other way round.
Jesus wept, did you turn up naked for your first day so you didn't wear out any of your clothes?
You do realise you've just outed yourself as THAT PERSON? The one that bitches and whines because their duties change slightly and they WILL NOT do whatever it is they've been asked to do without extra pay as its not their job. Not that they ever find time to do that either but, you know, it's the principle of it.
work out of a secure room with no smart phones allowed but there is a separate workstation that I have limited email and Teams access on, only both of those need MFA
No need, contact IT support, tell them the issue, and either get them to remove the need for MFA on that station (because you can't), or organise it so that you can use your smart card (if you have one) or get them to install Outlook on it and get NHS mail that way. problem solved (or made some-one else's)
There will be specific departments like a microbio lab where phones are never permitted where a solution will be required
Yep. I've already posted this but that's me and my department. The solution is to forgo the health and safety rule and allow people to bring their phone in to comply with the requirement for mfa.
No need, contact IT support, tell them the issue, and either get them to remove the need for MFA on that station (because you can’t)
You can't remove MFA on a specific device, doesn't work like that. Could temporarily disable on the user account, but that's not helping.
Best option, assuming that machine had a smartcard reader, is to use a PC elsewhere in the trust to get Smartcard auth set up and use that. But yeah, your Trust IT should be advising on this if you explain the situation.
i disagree Pyro, you certainly can reduce or completely remove the need for MFA on a specific device or named network etc
well.. at least the rules in the conditional access policies surrounding MFA suggest it to be possible.
I'm coming from an Entra/Intune perspective at least, where you are coming from may be different
Fair point, you probably can - you could create a security group for that single device - but that's using a sledgehammer to crack a nut. I don't know many Trusts that would do that, it's a lot of work to single out one device when it would probably be more sensible to do it for a whole internal network.
We're trying to get our whole HSCN IP range configured as the boundary, so it would encompass all our Practices, our ICB office, and our VPN subnets, but it's convoluted. Doing similar at their Trust would cover that lab without having to essentially create a single device exception. And again, if Smartcards are in use or they have a FIDO token, there's no need for it anyway.
Many sledgehammer, many nut, many cats to be skinned many ways!
Never thought I would say this but I am starting to feel a lot of sympathy for all of the IT people out there.
Also work in the NHS and at times it feels like there is flexibility being demanded from staff but nothing going back the other way. Can I assume all of the people that have firm boundaries either lock their phone away during working hours or switch them off and only check at breaks?
On another note, since there are some people who seem to know what they are talking about. Our trust has just started a BYOD policy. I have access to a NHS laptop and work offsite regularly but the trust laptop is really not great. I have my own MacBook and access to a VDI. Are there any strong reasons not to use my own laptop for email/teams etc and do patient work on the VDI?
Can I assume all of the people that have firm boundaries either lock their phone away during working hours or switch them off and only check at breaks?
Yup - me when I worked and most of the staff. disciplinary offense to use your phone on work time. People have been disciplined for using their phone when at work
Are there any strong reasons not to use my own laptop for email/teams etc and do patient work on the VDI?
Yes. Patient confidentiality. You may know your laptop is secure but does your employer? Can you prove it? At my workplace doing that without express permission would be a serious disciplinary and I doubt permission would be given
@TJ again, when you say when your worked, can I ask how long ago you stopped?
I don't think you understand my question, BYOD is the trust giving express permission for people to use their own device and access the secure network. They know things are secure because of..... MFA. Outlook, teams, one note etc all are secured and using VDI to access patient records nothing is coming onto my device.
retired 3 years ago
Sorry - I didn't get all the acronyms. With permission its fine ( tho no way would I do so)
Our trust has just started a BYOD policy. I have access to a NHS laptop and work offsite regularly but the trust laptop is really not great. I have my own MacBook and access to a VDI. Are there any strong reasons not to use my own laptop for email/teams etc and do patient work on the VDI?
I'm not an expert on VDI but there's two big NHS organisations near me that work completely that way. As far as I know, if you're working on VDI and all patient or commercial confidential data stays within the virtual machine, then no real reason not to use it. If needs be the VM software could be set up to do a posture check on your device, and limitations can be set on what you can export from the VDI environment, then it's as secure as an enterprise managed desktop. If your Trust is offering BYOD they should have covered off the technical, IG and clinical safety repercussions of that. If you're happy to allow any monitoring they might want on the device, go for it.
I’ve had pressure before to join whats app groups for work and refused.
It will however be interesting in some areas where we have no mobile phone reception and i need to logon to the NHS network.
WhatsApp requires a phone number for setup. It does not require mobile phone reception.
People that cite “not wanting work to have access to my data” is just ignorance and are using to try and justify them not installing an app.
Anyone with half a clue should already have an authenticator app or three installed. Using it for work is just one more account on the list of a dozen. I get wanting separation of work and personal and I'm 100% an advocate of that, I've pushed hard over the years for "give me the tools to fulfil your requirements," but adding a 17th account to Google Authenticator is neither here nor there.
when working on mail, teams , one note etc everything is inside 0365 so I understand that can be viewed by anyone within the trust as its all hosted centrally but can anything else be seen. I am a very boring person so nothing dodgy going on but if I get approached about a new job and I am looking at that in my browser, I think that is separate but am I right? Even worse, if can anyone see I spent a whole day arguing with strangers on a MTB website!
I am not paranoid about privacy but a better understanding of what's private and eats not would be good
VDI permissions are all set so I can't copy and paste etc
We’re trying to get our whole HSCN IP range configured as the boundary, so it would encompass all our Practices, our ICB office, and our VPN subnets, but it’s convoluted. Doing similar at their Trust would cover that lab without having to essentially create a single device exception. And again, if Smartcards are in use or they have a FIDO token, there’s no need for it anyway.
That's not really the ideal way to do it - certainly if you are using Entra / the MS ecosystem. It's a bit like a modern interpretation of the old "castle wall perimeter - network is the security boundary" way of working. The ideal would be using things like risk based authentication decisions by having access to machine heath and compliance as part of the conditional access rules. As we all keep agreeing too, there are other options besides Authenticator. A security token is more secure or you could use Certificate Based Auth (not so easy or flexible to roll out).
It's also not a good idea to be excluding specific machines from MFA. It's a bit like building a castle with 10 foot thick walls but only building those walls on 3 sides of the castle.
It's a big, bad, scary world out there in terms of cyber warfare and threat and it would be handy if those who are not into IT at least recognised that many IT departments are under significant demands to bring security to the company and the decisions are mostly made with the intent to strengthen and protect the company rather than to upset the non-IT literate.
Anyone with half a clue should already have an authenticator app or three installed.
What am I missing here? Why would I need an authenticator app on my phone? What for?
Edit - I don't even have my phone locked
What am I missing here? Why would I need an authenticator app on my phone? What for?
Edit – I don’t even have my phone locked
I think it’s a bit of an overstatement to say anyone with a clue - I have it with 12 different services using it for authentication but if you don’t have the deal with HMRC, various financial services etc then it would probably just be for 2FA on email. That is however potentially the most important one, once someone has access to your email they can reset passwords on most things that don’t need 2FA and then you are in a proper mess! Of course you can use SMS etc as 2FA so perhaps you have done that. It’s marginally less secure and requires a phone signal.
i don’t criticise people for not having a password on their phone - but if you loose it does that mean whoever finds it can get access to lots of stuff you wouldn’t want them to? There seems a disconnect between someone who wouldn’t fill in personal detail on an NHS electronic patient system and someone who has no security on their phone - unless of course you don’t have any apps like email, social media etc on your phone.
Ta
Nothing critical can be accessed on my phone. Email requires a password. Banking app a password and a security question
There seems a disconnect between someone who wouldn’t fill in personal detail on an NHS electronic patient system
Different issue - it was not an NHS system - it was a private company wanting all sorts of personal info to access nhs emails with no restrictions on how they can use it - including NI number FFS
Maybe I should lock it.
Ta again
As far a egress goes yes its a PITA and completely pointless in some scenarios where you get sent to link to your email telling you how to access the secure message where the only signup condition is needing the email address! Muppets. Though it does at least give some security to the message content (e.g. no one has intercepted and altered the bank details being shared with you as pat of a financial transaction).
In your case I suspect that egress might already have those details that you don't want to share with them (provided by whoever set you up on egress) and that they were requested to validate that you are you. I also suspect (though don't know for sure) that those details shouldn't be usable by the company for anything other than validating your identify (yeah I know 'shouldn't').
most NHS community nurses are provided a car at zero cost to them
Not in my experience, they usually use their own car (either theirs, or a leased car parks via salary sacrifice that's 'theirs' in the same way a personal lease car would be, i.e. it lives on their drive, they drive it to and from work, use it at the weekends etc) and reclaim expenses for miles driven.
unless of course you don’t have any apps like email, social media etc on your phone.
Even then, for a scammer it would be quite handy to have unrestricted access to a phone full of numbers of friends and family. "Hi aunty Sue, I can't speak as my battery is nearly dead but I need £500 for X, here are my bank details. Sorry to ask but it's an emergency..."
The egress stuff was as a member of the public well after I retired so no way should they have had any of those details. All the information required was to set up an account.
I will secure my phone tho - its educational to a luddite like me this stuff - ta
why would you have an authenticator app on your phone
well, for any account that supports it
without opening my app i know i have a couple or 3 work accounts in there
i have my google account, which in itself is pretty much the key to the kingdom
steam, epic games
basically, if the option for 2fa through an app is there, i take it.
Also, on critical accounts, there are backup methods of entry set, because if i lost these accounts i would be pretty upset
I am permanently logged out of google on everything. I still do not understand this at all.
anyway I have locked my phone now so to get into my banking for example they would need lock screen pin, banking app password, banking app security question. what does the authenticator app add? My phone doers not remember passwords
I'm not just being argumentative here - genuinely trying to understand
not specifically on your phone
say someone finds your google account email address, and brute forces it, without mfa they will eventually get in, change your password, google account is theirs
they then have access to your email, which could be the email address you've used for other sensitive accounts, which they can then password reset and pick up your email
remember, the entry point to most accounts is not through your phone, its via web logins.
with working mfa, any time a valid password is supplied, there is then a prompt on the app on your phone to approve in some way. so, the phone needs to be in the hand of the culprit, they need to be bale to unlock it and approve on the app
sms/call also does this yes, but an MFA app is considered more secure again
they then have access to your email, which could be the email address you’ve used for other sensitive accounts, which they can then password reset and pick up your email
How? Its not linked to my google account in any way and I am logged out of google on everything. Getting into my google account gets them access to nothing
Ok i don't know your specifics, i assumed your Gmail account would be your main email
change google/gmail to whatever your main email account is, anyone gains access to that you have potential problems
regardless, it doesn't matter if you are signed in or out of it
That’s not really the ideal way to do it – certainly if you are using Entra / the MS ecosystem. It’s a bit like a modern interpretation of the old “castle wall perimeter – network is the security boundary” way of working. The ideal would be using things like risk based authentication decisions by having access to machine heath and compliance as part of the conditional access rules.
Not shooting the suggestion down but...
It's an issue of two overlapping systems. NHSMail isn't part of 'our' AD, it's parallel to it, and while it sits in an MS ecosystem it's not the same MS ecosystem as our user devices. NHSMail's security groups aren't the same as our own AD security groups, and there's no connector (Tansync or similar) between the two - because of that, NHSMail can't easily posture check our devices for that to be added to the conditional access.
Couple that with the fact that each GP Practice is its own domain (so 91 domains total) to try and connect and it gets... complicated. We've got a big project in play to try and bring everything together a bit better, migrate into a single domain etc, but it's a 3-5 year project, and sods law says everything will have changed again by the time we get close to completion!
If someone has access to your main email account they can see updates from services you use and reset passwords for them by using the "forgot my password" link on the web sites for those services. Sensitive accounts dealing with finance should have more security than just that but there is lots of damage someone could do with access to things like Facebook, Twitter etc.
@tjagain forget about the phone and specific providers for a sec.
It's to stop brute forcing as said, so even if someone somehow guessed your password they can't get access unless they also have the authentication.
My authenticator covers:
Email accounts
Social media accounts
Work login
Paypal
Password manager
Now here's the point - most of those will let you carry on as normal without MFA enabled meaning you are as vulnerable as you can be. Once they have your email they essentially have the keys to the castle, they can try logins for any and every bank, reset details, bish bash bosh. Same for social media etc. Not your main email? You have a backup address logged right? You didn't use the same or similar password did you? Same goes for social media, I could lose my Insta with minimum fuss but if I had the same password as my email and they found that out...
And you needn't ever know anyone's accessed it until it's too late.
TJ: imagine having a key and a PIN pad on your front door. Someone might pick your pocket or see you drop your keys, but they still need the PIN to get into your house. Or they might sit on your front step and guess PIN codes until they get lucky, but they can't get in because they don't have the key. (And if you're being really targeted then they'll just make you open the door at knife/gun point!)
It's not perfect, but it doubles the obstacles in the way. If your password and username (for email, HMRC, PayPal, banking, STW, social media, anything!) is in a list that hackers get hold of then it's of no use to them if they can't log on without also generating a code on the authenticator app. And if the authenticator app is on your phone that is protected with a PIN/fingerprint/pattern then to get that code they need to have the phone in their hand and to know how to unlock it. (Or they need to trick you into giving them a code which is valid for <60 seconds).
The authenticator app doesn't protect your phone, it uses your phone to prove that the person attempting to log in to other accounts really is you.
if I get approached about a new job and I am looking at that in my browser, I think that is separate but am I right? Even worse, if can anyone see I spent a whole day arguing with strangers on a MTB website!
I am not paranoid about privacy but a better understanding of what’s private and eats not would be good
This should be covered in your employment T&Cs, is there a Staff Handbook? The TL;DR is that your employer is allowed to monitor your activities but they are not allowed to do it by stealth. So if they're allowing personal browsing and also logging what you're looking at, they are legally obliged to inform you beforehand.
It’s also not a good idea to be excluding specific machines from MFA. It’s a bit like building a castle with 10 foot thick walls but only building those walls on 3 sides of the castle.
This is exactly what happened in the last breach I dealt with. A hacker compromised a user's corporate email and downloaded several thousand confidential documents from SharePoint. In investigation it came to light that MFA had been disabled for Linux clients.
i don’t criticise people for not having a password on their phone
I do.
Aside from anything else, if you lose it or have it stolen the thieves have a working phone without further effort. Why make it easy for them?
Modern phones have face recognition, fingerprint scanners, it's so convenient that there's little reason not to have a lock on your phone.
I’m not just being argumentative here – genuinely trying to understand
I blogged about this. I've been avoiding gratuitously pimpimg my wares but go read it, it'll save a lot of typing. (I'd recommend starting at the first entry in the little sequence, which was originally inspired by a post on STW, but it's not essential to this specific discussion.)
https://blueteamhackers.com/old-mcdonald-had-a-password-m-f-m-f-a/
It’s not perfect, but it doubles the obstacles in the way.
It considerably more than doubles it. There's an example on that link.
It considerably more than doubles it.
There was 1 obstacle, now there's 2! 😉
Well, yes... 😁
The thing is, not every form of authentication is equal. Say you had a security dongle instead of a password. The risk of cracking a password given sufficient opportunity is high (again, see the blog!) whereas cracking a hardware device requires the hardware✳ so your primary risks become loss or theft, not that your password is "password."✳✳ So in effect where we're no longer backing up a password with something else, rather we're backing up that something else with a password.
(✳ - for most practical purposes)
(✳✳ - yes, people still do this given the chance)
It’s to stop brute forcing as said, so even if someone somehow guessed your password they can’t get access unless they also have the authentication.<br /><br />
there’s better ways to stop brute force attacks - like lockout after N failed attempts.
MFA is about stopping people who already have your password - either from using your password elsewhere that had been hacked or a phishing attack.
anyway I have locked my phone now so to get into my banking for example they would need lock screen pin, banking app password, banking app security question. what does the authenticator app add? My phone doers not remember passwords
tj - you probably don’t use your phone how most people do then. Apps have been designed to remove the friction as much as possible and normal users don’t log out every time and don’t remember passwords themselves (which may not in itself be as bad as someone using the same password everywhere). But the Authenticator is not to protect your phone or the apps on the phone directly. It’s to stop me logging into your account on a completely separate device. In essence when the “system” sees a login from a device you/it has not explicitly trusted if says ok you seem to have TJ’s password but if you are really TJ you’ll have a magic six digit number. (Banks have used cards and card reader devices for ages to do this sort of thing). That could be a code they email you, text you or even phone you with but that’s expensive, slightly slow, and has varying degrees of vulnerability. An authenticator app is a way of doing that which doesn’t need phone signal, is more secure and is pretty slick for the user. Some systems need it everytime you login, but others will only need if for high risk things (like password changes) or if it seems to be a new device.<br /><br />if you are not a fan of big tech companies - that may mean you are using a pretty crappy email provider. If they don’t offer some sort of two factor authentication then I would seriously consider if it’s time to move. If they don’t do 2FA they also probably aren’t running the sort of tools that spot brute force attacks and filter phishing links too. Because virtually everything uses your email as it’s id / method of sending password reset links it’s the most valuable tool for a hacker. I don’t believe anyone who says they would never fall for a phishing attack.
there’s better ways to stop brute force attacks – like lockout after N failed attempts.
MFA is about stopping people who already have your password – either from using your password elsewhere that had been hacked or a phishing attack.
Yeah, had a moment.
I like TJ its those folks that keep me in business.