I do not mind as much using my own mobile if it is a TOTP standard that I do not need to install spyware for. I have already TOTP apps that I can add QR and it's not costly or difficult.
Any kind of third party internet required app? Do I required Microsoft Authenticator or Duo - always on push access, internet required, logs my phone's IP and location? They must pay for the device and the plan. If you want me enter MDM, Outlook, ActiveSync? They must pay for the device and the plan.
No, I don't think it would be necessary.
2FA via TOTP does not require a phone.
2FA via SMS does not require a phone, one can utilize a VOIP service that provides SMS.
2FA via hardware token - yes it should be provided for if needed in course of employment.
Absolutely. I had the case, that a team member had a smartphone running on Graphene OS and was not able to run the required 2FA app Microsoft Authenticator. An employer must not dictate the type of phone that an employee owns privately and cannot even enforce the use of privately owned phones or other resources, if they are needed to fulfill the work contract. So I asked the company to provide a company phone to my team member, which they did, despite having a policy not to do so.
Please no. 0 chance I want my phone to be controlled by some enterprise device management crap.
Employers should provide a dedicated 2fa device (maybe a phone) if the employee wants but I can't think of the security case for employers to need to control / remote wipe the 2fa device since they could lock the account it is providing access to.
Either by accident, or just defaults getting increasingly more tight, Outlook won't connect to the account unless I allow it to be a device administrator.
On my personal phone, that's a hard no. So I'm using the PWA for the occasions I NEED to check email.
But a TOTP app of my choice, implementing a standard RFC protocol? I think that's okay, on the condition that it does not mean my phone is in scope for any regulations the company is mandated to adhere to.
It can be less intrusive, but it depends how the person in charge of mobility set things up and the MDM tool capabilities.
On Android you can define a device as corporate owned, which mean the employer have full control over the device, or it can be user owned and instead of taking control of the entire device, it makes a sandbox in which the corporate data resides, and the mobility admin can only touch what is inside that sandbox. If the phone is lost or the employee leave the business, you can remotely wipe the sandbox while leaving the user data untouched.
IMO this is a better approach, but it depends on how the system is set up.
Personally, that's still an unacceptable approach. There is no way I'm going to allow any employer to have any degree of access to my phone. If my employer needs me to use a phone for work purposes, my employer needs to provide a work phone to me.
And that's entirely your right not to use your personal device for work, and I agree with your position, while some others might be more lenient and will accept to have it on their personal device for the convenience of carrying and charging only one device.
It's nice having some flexibility for the different mindsets, but as long as the tools are provided by the employer when they're mandatory I don't see a problem.
My university tried to do this with all android devices connecting to their exchange too a few years back. Hard no from me. I’m not letting some random person in IT wipe my phone remotely because they mixed me up with someone, or because I’m getting fired/expelled.
If it's necessary for the employee to do the work, then yes. However, there are cheaper alternatives to phones, for example we provide hardware tokens (they cost around $30-40, such as https://www.yubico.com/products/security-key/ ) for those who don't have a corporate smartphone and are unwilling to use their personal devices for 2FA.
In the big picture, I think that an employer has the obligation to provide any equipment that is needed to do the job.
In the case of something like TOTP, though, I wouldn't insist that they provide a phone to use for it because it works without talking to any servers (unless I don't have a smartphone, of course).
My concern is to keep my employer's business and my personal business off of each other's systems. So if there's a requirement to use an app or to interact with company systems, then my employer needs to supply the equipment necessary to do that.
My company wants me it install Microsoft Authenticator but I find that unacceptable. That is my personal device and installation of any app is my choice and my choice only.
That being said, TOTP is practically standard and every phone have a method of generating their own TOTP so I don't mind adding employer's company to my BitWarden or Apple passwords. Same way I would not have problem to have SMS as a MFA.
I already have a TOTP app on my phone for all my other security (I have like 15 MFA codes), so adding an extra code isnt really a problem for me. P
lus I'd much rather have just an extra code than carry a 2nd phone.
Plus for me, a 2nd phone means on call.
Plus Im just happy to have a good paying job. Me complaining about wanting an extra device doesnt benefit anyone.
But thats just my situation.
I have dumb phone for that. If they pressure me to install something on it, I just bring them that phone (with my real sim), and ask them how we shall proceed.
> My company wants me it install Microsoft Authenticator but I find that unacceptable.
I had them give me a phone. It sits on my desk. 99% of 9he time, it's used only for Microsoft Authenticator. (That does not count the seemingly endless "Scam Likely" calls I simply ignore.)
I work in Finland and in all the jobs I've hard for Finnish companies they've either offered to pay for a new phone for me, or offered to pay my phone bill if I kept my personal phone.
Generally I don't actually do anything work-related on my phone, I just use Duo and Okta apps for logins, and have a 2FA application for some site-specific logins.
I had a thought recently along these lines. What if my phone breaks? I may not get a new one for a week or two. But work expects me to enter 2FA codes generated from my phone.
If I am required to use my personal phone for work related 2FA and SMS(lots of services require a mobile phone number just to create an account), then I will start using work resources for my own personal benefit. Those GPUs are idle too much anyhow....
You know they'll give a low-tier samsung with physical buttons that barely passes for a smartphone and you'll complain in less than a week that you can't install work apps on your personal phone.
I am speaking from experience. People complained they want the company to provide phones for the oncall rotation. In less than two rotations everyone was forwarding the oncall phone number to their personal one. Soon the phone was lost in a drawer and we integrated an oncall notifying app that everyone just installed on their phone.
The hassle of carrying an extra device, charging it, storing it and taking care of it is exactly that: a hassle.
I value the sanctity of my own hardware. Also, my personal phone is also an underpowered piece of shit, in part because I'm actually willing to endure quite a lot of annoyance to maintain a semblance of privacy on my hardware. It sounds like your coworkers aren't as ornery as myself. Lucky you, probably.
But, do note that we were talking about a phone for 2FA and you're talking about a phone for on-call. I'm too senior for on-call, but I need 2FA daily.
i might be mistaken but i think a lot of the compliance standards go along the lines of do not mix personal and business equipment; to me this includes Phones - and it really should include a separate vlan (at least) for distributed employees.
if you run network analysis you can at least see how much data flows between that device from the router level (and also keeps your personal stuff segregated from work stuff, regardless of any software on business machine). it also keeps your nice centrally managed work system from inadvertently accessing your own personal systems; i dont want my work apple/ms sending all the network-spam to my personal stuff and vice versa.
Also think of solar winds and such, if your work system is compromised by a supply chain attack (seeing they are higher targets), you also dont want your other devices at home to be on the radar to be compromised too
While you're hundred percent right, the problem here is detachment. For example, many companies' security and procurement teams operate at the top. Downstream teams around the globe have no clue what's coming, it's not in their budget to purchase and manage 2FA devices (this is more complicated than one might think) and I've never once seen the upstream teams own the whole process, despite the obvious connection.
As a regular employee, I am just unlikely to refuse the employer's silent requirement to use my own device to log in into their systems. Hell, some companies have even started promoting BYOD (Bring Your Own Device), which is wrong on so many levels.
My employer pays for 1Password, and also a Yubikey. I don't have to use my phone for any work-related 2FA.
But yes, my policy is to absolutely never use personal devices for work, and vice versa. Complete and total separation. The laptop I use for work was paid for by my employer.
I simply will not use my personal phone for work purposes. I hesitate to even make a call in a pinch. There's no way employer mandated apps are going on there. If an employer doesn't provide a phone but expects these things, I will simply make them figure it out / work out an alternative solution with them.
In the worst case I would be prepared to be fired over this issue.
And then they will use that for all work-related communication. And in secret, they will thank you profoundly for allowing them to just disconnect in the evening, because nobody wants to call THAT phone.
> If employer is already paying you a salary, just be grateful. People always act like their employers owe them. You're an employee at will.
Why should anyone "be grateful" for the salary they are owed?They fulfilled their side of the contract.
For that matter, why should employees have to waste their own salary if their employers can't afford a phone to run the apps they require? They should be looking around and getting ready to jump ship.
I had a guy out to install my windows this weekend. Man! he was a hard worker. Grunted every time he picked up a window, complained about his back, smashed his finger (REALLY bad... I probably would have gotten stiches) wrapped it up and kept working.
The whole time I thought: "I'm so glad I had the opportunity to go to college and get into this field".
But not once did I think, "I'm so glad my company is so gracious to pay me".
Yes, we are paid well for working in easy conditions, but it is commiserate to the value we provide due to the stuff in our heads. It's not because our companies are generous.
I use an old iphone 8 for work 2FA apps and fall back to my phone number if the phone is dead or something . Only been in 1 environment that didnt allow that fallback and they gave me a phone. Ive been on both sides of this kind of policy and while many people would like to think they would make OP’s argument, Ive only ever had one person successfully argue it and…they were just given an extremely cheap old phone and a dongle.
69 comments
[ 2.7 ms ] story [ 129 ms ] threadAny kind of third party internet required app? Do I required Microsoft Authenticator or Duo - always on push access, internet required, logs my phone's IP and location? They must pay for the device and the plan. If you want me enter MDM, Outlook, ActiveSync? They must pay for the device and the plan.
Employers should provide a dedicated 2fa device (maybe a phone) if the employee wants but I can't think of the security case for employers to need to control / remote wipe the 2fa device since they could lock the account it is providing access to.
Either by accident, or just defaults getting increasingly more tight, Outlook won't connect to the account unless I allow it to be a device administrator.
On my personal phone, that's a hard no. So I'm using the PWA for the occasions I NEED to check email.
But a TOTP app of my choice, implementing a standard RFC protocol? I think that's okay, on the condition that it does not mean my phone is in scope for any regulations the company is mandated to adhere to.
I agree that's a hard no for personal devices though.
On Android you can define a device as corporate owned, which mean the employer have full control over the device, or it can be user owned and instead of taking control of the entire device, it makes a sandbox in which the corporate data resides, and the mobility admin can only touch what is inside that sandbox. If the phone is lost or the employee leave the business, you can remotely wipe the sandbox while leaving the user data untouched.
IMO this is a better approach, but it depends on how the system is set up.
It's nice having some flexibility for the different mindsets, but as long as the tools are provided by the employer when they're mandatory I don't see a problem.
I'm not going to turn that sandbox on when I'm not at work.
In the case of something like TOTP, though, I wouldn't insist that they provide a phone to use for it because it works without talking to any servers (unless I don't have a smartphone, of course).
My concern is to keep my employer's business and my personal business off of each other's systems. So if there's a requirement to use an app or to interact with company systems, then my employer needs to supply the equipment necessary to do that.
That being said, TOTP is practically standard and every phone have a method of generating their own TOTP so I don't mind adding employer's company to my BitWarden or Apple passwords. Same way I would not have problem to have SMS as a MFA.
Also it's gross, I hate giving out my number
If anyone is doing that in 2024, that is a warning sign.
I had them give me a phone. It sits on my desk. 99% of 9he time, it's used only for Microsoft Authenticator. (That does not count the seemingly endless "Scam Likely" calls I simply ignore.)
I work in Finland and in all the jobs I've hard for Finnish companies they've either offered to pay for a new phone for me, or offered to pay my phone bill if I kept my personal phone.
Generally I don't actually do anything work-related on my phone, I just use Duo and Okta apps for logins, and have a 2FA application for some site-specific logins.
The hassle of carrying an extra device, charging it, storing it and taking care of it is exactly that: a hassle.
But, do note that we were talking about a phone for 2FA and you're talking about a phone for on-call. I'm too senior for on-call, but I need 2FA daily.
That allows the line between self-owned work and employer-owned work to be thin/non-existent.
That can make it a lot easier for your employer to own your personal projects.
Don't do it. Don't use your corporate laptop for personal things, and don't use your personal equipment for corporate things.
If they want to use 2FA, they need to provide the 2FA device.
What’s that gonna achieve when entire firm has zero trust policy?
As a regular employee, I am just unlikely to refuse the employer's silent requirement to use my own device to log in into their systems. Hell, some companies have even started promoting BYOD (Bring Your Own Device), which is wrong on so many levels.
But yes, my policy is to absolutely never use personal devices for work, and vice versa. Complete and total separation. The laptop I use for work was paid for by my employer.
- Offer people a cell phone stipend, which the employee may or may not accept.
or:
- Issue a security key.
We choose to go with "We are issuing you a security key, bbbbuuuttt you can choose instead to use your phone at your discretion."
In the worst case I would be prepared to be fired over this issue.
Why should anyone "be grateful" for the salary they are owed? They fulfilled their side of the contract.
For that matter, why should employees have to waste their own salary if their employers can't afford a phone to run the apps they require? They should be looking around and getting ready to jump ship.
The whole time I thought: "I'm so glad I had the opportunity to go to college and get into this field".
But not once did I think, "I'm so glad my company is so gracious to pay me".
Yes, we are paid well for working in easy conditions, but it is commiserate to the value we provide due to the stuff in our heads. It's not because our companies are generous.