Employer requiring MFA for work email on personal phone
Discussion
I'm totally fine with my choice of authenticator app for work logins. Assuming it's just TOTP there's no link made between the device and your work systems.
MDM is where I drew the line. As above, I'm sure they can sort you a token but it'll be make life easier for you to just install an app.
MDM is where I drew the line. As above, I'm sure they can sort you a token but it'll be make life easier for you to just install an app.
Brainpox said:
One I’d like to get the opinion of the collective on. I’m not sure whether to be precious about it or not 
I work in the NHS and all NHS mail (NHS.net) users are expected to enable MFA via their personal mobile phones in order to access work email. Either via SMS or authenticator app.
On the one hand, I’m not sure why I should be using my personal device for work matters. Email is essential for communication and if MFA is required then should this be provided on a work device? I could be stubborn and refuse and make my work life a lot quieter without access to email!
On the other I have my phone on me anyway so it’s not really a big deal.
Maybe I’m just concerned about work creeping into my personal life. Just wondered what the hive mind here thought about it?
ETA to clarify, this is to access email on any device including work PCs with a new code required for each device
If you don't want this, refuse it. There are alternatives such as hard tokens:I work in the NHS and all NHS mail (NHS.net) users are expected to enable MFA via their personal mobile phones in order to access work email. Either via SMS or authenticator app.
On the one hand, I’m not sure why I should be using my personal device for work matters. Email is essential for communication and if MFA is required then should this be provided on a work device? I could be stubborn and refuse and make my work life a lot quieter without access to email!
On the other I have my phone on me anyway so it’s not really a big deal.
Maybe I’m just concerned about work creeping into my personal life. Just wondered what the hive mind here thought about it?
ETA to clarify, this is to access email on any device including work PCs with a new code required for each device
Having said that, personally I'd be okay with having the access code-generator on my phone as long as there was no remote phone wipe possibility. Basically, I own my phone and all the data on it, I'd not give that ownership away to my employer via a remote-wipe function.
I don't access actual work on my phone (eg. work email or work messages) and would not be okay with that if it became "required" by my employer. This sort of function is usually where the remote-wipe things get added. Some of my colleagues do have work stuff on their phones (we are in an industry where it's common) but I don't want it leaching into my out-of-workplace time.
I literally have a set of clothes I only wear to the office; once I've got home and changed, work is over. I like to disconnect properly.
TL;DR
An authenticator app on your phone is unlikely to mean you start working outside of work.
If an analogy helps, having an authenticator app on your phone is a bit like using your wallet to store your work ID badge. The app's function is to help gain access to your virtual work environment in the same way an ID badge lets you into the office.
Using an authenticator app on your phone doesn't blur your work/life boundary any more than keeping your ID badge in your wallet does.
Putting applications onto your own phone that actually allow you to do work is a different kettle of fish.
Using an authenticator app on your phone doesn't blur your work/life boundary any more than keeping your ID badge in your wallet does.
Putting applications onto your own phone that actually allow you to do work is a different kettle of fish.
I have MFA on my personal phone for work O365 logins. My team has my mobile and I have theirs, mainly for disaster recovery procedures but also if needed for work matters. No one over steps the line with contact. Works fine for me.
My wife also works for the NHS in nursing and she uses her personal mobile to run telephone clinics from home, as well as her personal laptop to VPN on to the hospital systems. I think hers is a step far but it enables her to work from home so I guess you have to take the rough with the smooth sometimes.
My wife also works for the NHS in nursing and she uses her personal mobile to run telephone clinics from home, as well as her personal laptop to VPN on to the hospital systems. I think hers is a step far but it enables her to work from home so I guess you have to take the rough with the smooth sometimes.
I have the MFA app on my personal phone and MDM installed to access work email and apps. They offer a handset and/or SIM but I couldn't be arsed with two devices so just took the SIM and use my dual SIM handset.
My stuff gets backed up by me, not bothered by the miniscule chance of an inadvertent wipe.
YMMV.
My stuff gets backed up by me, not bothered by the miniscule chance of an inadvertent wipe.
YMMV.
I have a work phone, but choose to run the Authenticator app on my personal phone - simply because it's more likely that's the device I'll have with me.
Tokens are fine in theory, but unless you carry them around everywhere people tend to forget them regularly and then generate service desk effort because they can't log in.
MFA is going to become more prevalent - we've implemented Windows Hello and passwordless authentication which means every Microsoft login generates an MFA prompt.
I like the "using your wallet to carry your ID card" analogy - I might steal that
Tokens are fine in theory, but unless you carry them around everywhere people tend to forget them regularly and then generate service desk effort because they can't log in.
MFA is going to become more prevalent - we've implemented Windows Hello and passwordless authentication which means every Microsoft login generates an MFA prompt.
I like the "using your wallet to carry your ID card" analogy - I might steal that
Herbs said:
Seems to be a lot of misinformation of this.
Essentially its just an app on your phone that generates a random 6 digit code every 30-60 seconds that you need to enter when logging onto your work PC.
There is no work data or bleed into work appearing outside of work time.
We have just had to do this at work as well and after the initial grumblings which lasted a day or 2 from some staff, its now the norm and has zero impact apart taking 10 seconds longer to log in in the morning.
It also gives you the extra security that a colleague cannot log into anything as you, even if they know your password.
Exactly this.Essentially its just an app on your phone that generates a random 6 digit code every 30-60 seconds that you need to enter when logging onto your work PC.
There is no work data or bleed into work appearing outside of work time.
We have just had to do this at work as well and after the initial grumblings which lasted a day or 2 from some staff, its now the norm and has zero impact apart taking 10 seconds longer to log in in the morning.
It also gives you the extra security that a colleague cannot log into anything as you, even if they know your password.
Fully appreciate you're entitled to say you don't want to use a personal device but it won't give your employer any access or info and I'd hope and expect more and more people are using MFA in their personal lives so it's not like this is a new and unexpected thing to them.
I use the Entrust app on my phone so I can log into Global Protect on my work laptop when working remotely. I also use Microsoft Authenticator on my phone when working remotely and in the office to facilitate switching between different tenants in Microsoft Azure. I've never given it a second thought, but I love my job and am happy to do anything to be able to get on with it.
768 said:
eliot said:
do you want a dataleak, compromise or ransomware attack traced back to the lack of 2fa on your account?
It can't be. It prevents account compromise through an extra hoop, but lack of it isn't a vulnerable hoop.2fa is mandated just about everywhere now, time was it was only for sensitive networks - but almost all IT security standards want it, especially public sector/gov
I’m not really clear if the op is referring to just having the 2fa app on their phone or work email on their personal phone - and op seems to have left the chat.
Brainpox said:
One I’d like to get the opinion of the collective on. I’m not sure whether to be precious about it or not
I feel this comment is appropriate “Flexible people don’t get bent out of shape”
They’re not really asking very much, it won’t significantly affect your personal life.
It would now give you a legitimate reason to charge your phone at work though if you want to feel like you need compensation of some sort….
Correct or not, It probably would make me view someone who reported to me differently if they made the decision to say no.
We have this at work and it’s just an authentication process.
Anyone who feels a bit freedom of the land about it, can ask for a separate token if they wish.
But it’s not as efficient as options like facial recognition and thus far nobody has asked for one.
It’s NOTHING to do with answering work emails on your person phone as some people have wrongly assumed in their ignorance.
Anyone who feels a bit freedom of the land about it, can ask for a separate token if they wish.
But it’s not as efficient as options like facial recognition and thus far nobody has asked for one.
It’s NOTHING to do with answering work emails on your person phone as some people have wrongly assumed in their ignorance.
Sheets Tabuer said:
Just been through this at work, project was held up because HR said the company can't force people to use their personal devices so they all got a keyring token.
and yet those users may install the same authenticator app to access their paypal for example, sounds like militant staff being dicks for the sake of it.eliot said:
Sheets Tabuer said:
Just been through this at work, project was held up because HR said the company can't force people to use their personal devices so they all got a keyring token.
and yet those users may install the same authenticator app to access their paypal for example, sounds like militant staff being dicks for the sake of it.Sheets Tabuer said:
eliot said:
Sheets Tabuer said:
Just been through this at work, project was held up because HR said the company can't force people to use their personal devices so they all got a keyring token.
and yet those users may install the same authenticator app to access their paypal for example, sounds like militant staff being dicks for the sake of it.
Zetec-S said:
Sheets Tabuer said:
eliot said:
Sheets Tabuer said:
Just been through this at work, project was held up because HR said the company can't force people to use their personal devices so they all got a keyring token.
and yet those users may install the same authenticator app to access their paypal for example, sounds like militant staff being dicks for the sake of it.Gassing Station | Jobs & Employment Matters | Top of Page | What's New | My Stuff