Either by accident, or just defaults getting increasingly more tight, Outlook won't connect to the account unless I allow it to be a device administrator.
On my personal phone, that's a hard no. So I'm using the PWA for the occasions I NEED to check email.
But a TOTP app of my choice, implementing a standard RFC protocol? I think that's okay, on the condition that it does not mean my phone is in scope for any regulations the company is mandated to adhere to.
It can be less intrusive, but it depends how the person in charge of mobility set things up and the MDM tool capabilities.
On Android you can define a device as corporate owned, which mean the employer have full control over the device, or it can be user owned and instead of taking control of the entire device, it makes a sandbox in which the corporate data resides, and the mobility admin can only touch what is inside that sandbox. If the phone is lost or the employee leave the business, you can remotely wipe the sandbox while leaving the user data untouched.
IMO this is a better approach, but it depends on how the system is set up.
Personally, that's still an unacceptable approach. There is no way I'm going to allow any employer to have any degree of access to my phone. If my employer needs me to use a phone for work purposes, my employer needs to provide a work phone to me.
And that's entirely your right not to use your personal device for work, and I agree with your position, while some others might be more lenient and will accept to have it on their personal device for the convenience of carrying and charging only one device.
It's nice having some flexibility for the different mindsets, but as long as the tools are provided by the employer when they're mandatory I don't see a problem.
My university tried to do this with all android devices connecting to their exchange too a few years back. Hard no from me. I’m not letting some random person in IT wipe my phone remotely because they mixed me up with someone, or because I’m getting fired/expelled.
While you're hundred percent right, the problem here is detachment. For example, many companies' security and procurement teams operate at the top. Downstream teams around the globe have no clue what's coming, it's not in their budget to purchase and manage 2FA devices (this is more complicated than one might think) and I've never once seen the upstream teams own the whole process, despite the obvious connection.
As a regular employee, I am just unlikely to refuse the employer's silent requirement to use my own device to log in into their systems. Hell, some companies have even started promoting BYOD (Bring Your Own Device), which is wrong on so many levels.
i might be mistaken but i think a lot of the compliance standards go along the lines of do not mix personal and business equipment; to me this includes Phones - and it really should include a separate vlan (at least) for distributed employees.
if you run network analysis you can at least see how much data flows between that device from the router level (and also keeps your personal stuff segregated from work stuff, regardless of any software on business machine). it also keeps your nice centrally managed work system from inadvertently accessing your own personal systems; i dont want my work apple/ms sending all the network-spam to my personal stuff and vice versa.
Also think of solar winds and such, if your work system is compromised by a supply chain attack (seeing they are higher targets), you also dont want your other devices at home to be on the radar to be compromised too
I do not mind as much using my own mobile if it is a TOTP standard that I do not need to install spyware for. I have already TOTP apps that I can add QR and it's not costly or difficult.
Any kind of third party internet required app? Do I required Microsoft Authenticator or Duo - always on push access, internet required, logs my phone's IP and location? They must pay for the device and the plan. If you want me enter MDM, Outlook, ActiveSync? They must pay for the device and the plan.
Absolutely. I had the case, that a team member had a smartphone running on Graphene OS and was not able to run the required 2FA app Microsoft Authenticator. An employer must not dictate the type of phone that an employee owns privately and cannot even enforce the use of privately owned phones or other resources, if they are needed to fulfill the work contract. So I asked the company to provide a company phone to my team member, which they did, despite having a policy not to do so.
My company wants me it install Microsoft Authenticator but I find that unacceptable. That is my personal device and installation of any app is my choice and my choice only.
That being said, TOTP is practically standard and every phone have a method of generating their own TOTP so I don't mind adding employer's company to my BitWarden or Apple passwords. Same way I would not have problem to have SMS as a MFA.
I have dumb phone for that. If they pressure me to install something on it, I just bring them that phone (with my real sim), and ask them how we shall proceed.
I already have a TOTP app on my phone for all my other security (I have like 15 MFA codes), so adding an extra code isnt really a problem for me. P
lus I'd much rather have just an extra code than carry a 2nd phone.
Plus for me, a 2nd phone means on call.
Plus Im just happy to have a good paying job. Me complaining about wanting an extra device doesnt benefit anyone.
But thats just my situation.
> My company wants me it install Microsoft Authenticator but I find that unacceptable.
I had them give me a phone. It sits on my desk. 99% of 9he time, it's used only for Microsoft Authenticator. (That does not count the seemingly endless "Scam Likely" calls I simply ignore.)
My employer pays for 1Password, and also a Yubikey. I don't have to use my phone for any work-related 2FA.
But yes, my policy is to absolutely never use personal devices for work, and vice versa. Complete and total separation. The laptop I use for work was paid for by my employer.
In the big picture, I think that an employer has the obligation to provide any equipment that is needed to do the job.
In the case of something like TOTP, though, I wouldn't insist that they provide a phone to use for it because it works without talking to any servers (unless I don't have a smartphone, of course).
My concern is to keep my employer's business and my personal business off of each other's systems. So if there's a requirement to use an app or to interact with company systems, then my employer needs to supply the equipment necessary to do that.
If it's necessary for the employee to do the work, then yes. However, there are cheaper alternatives to phones, for example we provide hardware tokens (they cost around $30-40, such as https://www.yubico.com/products/security-key/ ) for those who don't have a corporate smartphone and are unwilling to use their personal devices for 2FA.
Please no. 0 chance I want my phone to be controlled by some enterprise device management crap.
Employers should provide a dedicated 2fa device (maybe a phone) if the employee wants but I can't think of the security case for employers to need to control / remote wipe the 2fa device since they could lock the account it is providing access to.
If I am required to use my personal phone for work related 2FA and SMS(lots of services require a mobile phone number just to create an account), then I will start using work resources for my own personal benefit. Those GPUs are idle too much anyhow....
You know they'll give a low-tier samsung with physical buttons that barely passes for a smartphone and you'll complain in less than a week that you can't install work apps on your personal phone.
I am speaking from experience. People complained they want the company to provide phones for the oncall rotation. In less than two rotations everyone was forwarding the oncall phone number to their personal one. Soon the phone was lost in a drawer and we integrated an oncall notifying app that everyone just installed on their phone.
The hassle of carrying an extra device, charging it, storing it and taking care of it is exactly that: a hassle.
I value the sanctity of my own hardware. Also, my personal phone is also an underpowered piece of shit, in part because I'm actually willing to endure quite a lot of annoyance to maintain a semblance of privacy on my hardware. It sounds like your coworkers aren't as ornery as myself. Lucky you, probably.
But, do note that we were talking about a phone for 2FA and you're talking about a phone for on-call. I'm too senior for on-call, but I need 2FA daily.
I had a thought recently along these lines. What if my phone breaks? I may not get a new one for a week or two. But work expects me to enter 2FA codes generated from my phone.
I work in Finland and in all the jobs I've hard for Finnish companies they've either offered to pay for a new phone for me, or offered to pay my phone bill if I kept my personal phone.
Generally I don't actually do anything work-related on my phone, I just use Duo and Okta apps for logins, and have a 2FA application for some site-specific logins.
If you use linux on your work laptop you can use oathtool to register 2fa. I have a custom script (with zenity) that, when pressing a global hotkey, allows me to fill the 6-number directly. No personal phone needed, and it's even faster. My work laptop is my work's 2fa device.
I use an old iphone 8 for work 2FA apps and fall back to my phone number if the phone is dead or something . Only been in 1 environment that didnt allow that fallback and they gave me a phone. Ive been on both sides of this kind of policy and while many people would like to think they would make OP’s argument, Ive only ever had one person successfully argue it and…they were just given an extremely cheap old phone and a dongle.
I simply will not use my personal phone for work purposes. I hesitate to even make a call in a pinch. There's no way employer mandated apps are going on there. If an employer doesn't provide a phone but expects these things, I will simply make them figure it out / work out an alternative solution with them.
In the worst case I would be prepared to be fired over this issue.
Of course: if they need the security, especially if it can't be achieved with a standard TOTP generator, it doesn't really make sense to rely on whatever their employers have lying around (which could very well be not an Android/iOS phone, new enough, with enough space, bootlocked/un-rooted enough, or even a phone in the first place).
Since I don't allow anyone to install stuff on my personal phone - and they probably wouldn't want to store their secure data onto a device that I rooted anyway - then the only option is for the employer to provide a 2FA device.
It doesn't have to be a phone, though. Yubikey is good and affordable.
If my employer wants me “on call” and accessable, they can either:
A) provide a phone.
B) pay for part of my personal bill; but no MDM allowed.
C) be ok with me not always being available. I enter the job like this. I state I am also a firefighter, if I don’t answer, I’m involved. Managers can manage.
No, I don't think it would be necessary.
2FA via TOTP does not require a phone.
2FA via SMS does not require a phone, one can utilize a VOIP service that provides SMS.
2FA via hardware token - yes it should be provided for if needed in course of employment.
Just like companies will not allow us to install "personal" software on company devices, we should not allow them to install "company" software on personal devices.
Hardware keys should be provided to all employees, because employees will use it for both personal and corporate authentication. It's a true win/win scenario.
And then they will use that for all work-related communication. And in secret, they will thank you profoundly for allowing them to just disconnect in the evening, because nobody wants to call THAT phone.
> If employer is already paying you a salary, just be grateful. People always act like their employers owe them. You're an employee at will.
Why should anyone "be grateful" for the salary they are owed?They fulfilled their side of the contract.
For that matter, why should employees have to waste their own salary if their employers can't afford a phone to run the apps they require? They should be looking around and getting ready to jump ship.
I had a guy out to install my windows this weekend. Man! he was a hard worker. Grunted every time he picked up a window, complained about his back, smashed his finger (REALLY bad... I probably would have gotten stiches) wrapped it up and kept working.
The whole time I thought: "I'm so glad I had the opportunity to go to college and get into this field".
But not once did I think, "I'm so glad my company is so gracious to pay me".
Yes, we are paid well for working in easy conditions, but it is commiserate to the value we provide due to the stuff in our heads. It's not because our companies are generous.
Either by accident, or just defaults getting increasingly more tight, Outlook won't connect to the account unless I allow it to be a device administrator.
On my personal phone, that's a hard no. So I'm using the PWA for the occasions I NEED to check email.
But a TOTP app of my choice, implementing a standard RFC protocol? I think that's okay, on the condition that it does not mean my phone is in scope for any regulations the company is mandated to adhere to.