Company forcing employees to install software on their personal mobiles?

[Tony The Welsh Twat]

My company have been using two-factor authentication since Covid when most of us have worked from home.

You log into the corporate VPN and you are sent a code to your mobile which you then enter and begin your working day.

I don't have an issue with this approach; the company have my mobile number and so getting a text every morning is no big deal.

IT have announced that as of 1st November, this process is being changed and we are all expected to download and install something called the Microsoft Authenticator App.

Now, given that Microsoft are heavily into sending anything and everything back to Redmond (apparently it's known as telemetrics, I call it spying) I'm reluctant to install anything from them particularly when the app apparently needs access to my contact list, emails and photos.

Can I challenge this proposal? What if I didn't have a "smart" phone and just a basic Nokia device?

[Roger Hayter]

On 19 Oct 2023 at 16:24:20 BST, "Tony The Welsh Twat"

The only realistic solution is to buy a second phone for work. No-one ever go
the sack, or indeed any other legal penalty, for using Microsoft. You could
ask the firm to pay for it, but they are not bound to do so. And that applies
even if you don't own a suitable phone.

--
Roger Hayter

[Fredxx]

I and some colleagues objected to the same. My objection was that my
phone was genuinely very slow and I was fearful of adding another app.

I didn't think anything I was doing would attract the attention of
Redmond or indeed anyone even if they did have access to my data. YMMV

This could be an opportunity for the company to provide everyone with a
company phone. It's a non-taxable perk too.

[Fredxx]

On 19/10/2023 16:24, Tony The Welsh Twat wrote:

I'm pretty sure MS provides other means of authenticating credentials,
one is via a SMS text.

[Jon Ribbens]

That quite likely depends on the settings the IT Administrator
at Tony's employer has configured.

[Fredxx]

Ok, assuming Microsoft are the lead here and the IT department are
following it, Microsoft do allow for other forms of authentication.
Either way a personal phone is private property and an employer has no
rights over it; where Microsoft are sensible enough to take that into
and provide other methods.

Therefore if the company narrows down it's configuration to just the app
then it's playing silly buggers with its staff. Some employees may not
even have a mobile phone, and less likely to have a smart one.

[Roger Hayter]

I think it is the firm's data that is at risk. American security agencies and
American firms routinely do as much industrial espionage as they can and pass
it on to American business. I don't think this fact is contentious.

>
> This could be an opportunity for the company to provide everyone with a
> company phone. It's a non-taxable perk too.

--
Roger Hayter

[Simon Parker]

Authenticator is a specific app for use in precise circumstances.

I use the Google version, rather than the Microsoft version, but the
principle is the same and I use it, for example, to employ MFA with my
HMRC account.

When I launch he Authenticator app, each account with which it is
configured to work, (I've already mentioned HMRC, but, perversely, I
also use *Google* Authenticator to login to my *Microsoft* account
amongst others), displays a six digit code and a circle which disappears
over the course of 30 seconds whereupon it generates a new six digit
code. (The circles allow one to determine if one has enough time to
enter the code before it expires.)

If you Google "Microsoft Authenticator" or indeed "Google Authenticator"
a world of knowledge will be opened to you.

Regards

S.P.

[Martin Brown]

On 19/10/2023 22:50, Fredxx wrote:

I think the probability of someone these days under retirement age not
having a smart phone is vanishingly small. Even my techno-Luddite cousin
has one (admittedly an iPhone 5 but still a smart phone)!

I held out for as long as I could (2015) on a dumb phone that would run
for a couple of weeks on one charge because I CBA to charge it every
night. I have only ever bought phones that would last at least a week.

If the company want to insist on specific software to be installed on a
personal device to be used for business then they should be providing a
company mobile phone or security dongle to their employees.

Or live with the fact that some people who are not prepared to install
that software on *their* personal property will not be able to access
their VPN. I doubt it would be a sacking offence not to install it.

But it might not improve your prospects of promotion.

It has all become a bit messy with the vulnerabilities that BYOD has
introduced in the post-Covid era. My own take is that company mandated
software should not be required on your personal possessions. YMMV

Unless it is being done because you want it - some big organisations
have provide their employees an MS Office license at home for instance.

--
Martin Brown

[Simon Parker]

On 19/10/2023 16:24, Tony The Welsh Twat wrote:

I recommend informing your employer that you do not wish to install the
App on your phone (without giving a reason), but state that you are
happy to comply with their increased security protocols suggesting that
instead of asking that you install an App on your phone, that they
provide you with a OATH hardware token which will perform precisely the
same function.

They are obliged to provide you with the first token without charge but,
providing it is permitted in your contract of employment, (and the
likelihood is that it will be), they can charge for a replacement if you
lose or damage it. They have a battery which will run out in a few
years. Your employer will need to replace if without charge when this
happens.

Regards

S.P.

[Jon Ribbens]

That isn't the only way the Microsoft (or Google) authenticator apps
work, though. As well as the Time-based One Time Password mode you're
describing, they have proprietary "just press 'Approve' to confirm
the login" modes. Which modes are available is most likely up to the
IT administrator at the employer.

[Theo]

Jon Ribbens <jon+u...@unequivocal.eu> wrote:
> That isn't the only way the Microsoft (or Google) authenticator apps
> work, though. As well as the Time-based One Time Password mode you're
> describing, they have proprietary "just press 'Approve' to confirm
> the login" modes. Which modes are available is most likely up to the
> IT administrator at the employer.

My employer uses Microsoft logins and the instructions were to install the
Microsoft authenticator app. I installed a third party open source TOTP app
called 'authenticator':

https://www.ghacks.net/2019/09/09/authenticator-open-source-2-step-verification-app-for-ios/
https://apps.apple.com/us/app/authenticator/id766157276

It works fine with Microsoft and other services for me. There is no harm in
trying a third party app you are comfortable with instead of the official
solution.

Theo

[Scion]

On Fri, 20 Oct 2023 09:51:05 +0100, Simon Parker wrote:

<snip>

> I recommend informing your employer that you do not wish to install the
> App on your phone (without giving a reason), but state that you are
> happy to comply with their increased security protocols suggesting that
> instead of asking that you install an App on your phone, that they
> provide you with a OATH hardware token which will perform precisely the
> same function.
>
> They are obliged to provide you with the first token without charge but,
> providing it is permitted in your contract of employment, (and the
> likelihood is that it will be), they can charge for a replacement if you
> lose or damage it. They have a battery which will run out in a few
> years. Your employer will need to replace if without charge when this
> happens.
>
> Regards
>
> S.P.

You can get desktop apps that provide the same function. Authy for
example. I assume that working from home is via a PC, not solely on the
mobile phone.

[Mark Goodge]

On Thu, 19 Oct 2023 08:24:20 -0700 (PDT), Tony The Welsh Twat
<tonythew...@gmail.com> wrote:

>IT have announced that as of 1st November, this process is
>being changed and we are all expected to download and install
>something called the Microsoft Authenticator App.

It doesn't have to be Microsoft Authenticator App. Despite what you have
been told, any authentication app will work equally well. They are all
considerably more secure than SMS 2FA. Personally, I use Google
Authenticator, although if you want something unconnected to any of the big
names then Authy has very good reviews.

>Can I challenge this proposal?

It would be foolish to do so, given that it would be a deliberate choice to
remain on a less secure system. An authentication app is also more reliable,
and easier to use, than SMS 2FA.

>What if I didn't have a "smart"
>phone and just a basic Nokia device?

But you don't. You do have a smartphone. So raising hypothtical goat herder
objections isn't going to help you.

Mark

[The Todal]

On 19/10/2023 16:24, Tony The Welsh Twat wrote:

Others have given you some useful information and advice.

All I can say is that I had an email account while volunteering for a
charity, and the computer support people insisted that we used the
Microsoft Authenticator, out of an abundance of caution, even though
there was nothing very confidential to discuss.

I found it to be a nuisance, because in a similar way to the "reCAPTCHA"
method, it delays what you are doing and forces you to go through a
procedure that it is easy to get wrong. Especially if your Authenticator
app isn't conveniently to hand and you're trying to log into your
mailbox on a laptop. And occasionally the Authenticator has uncoupled
from my email address and asked me to scan a QR code (with what, given
that the QR code is displayed on my phone?) or reinstall the Authenticator.

But if a computer support technician advises that it has to be used,
nobody dares to challenge that opinion.

[Mark Goodge]

On Sat, 21 Oct 2023 07:48:47 -0000 (UTC), Jethro_uk
<jeth...@hotmailbin.com> wrote:

>On Fri, 20 Oct 2023 23:18:11 +0100, Mark Goodge wrote:
>
>> On Thu, 19 Oct 2023 08:24:20 -0700 (PDT), Tony The Welsh Twat
>> <tonythew...@gmail.com> wrote:
>>
>>>IT have announced that as of 1st November, this process is being changed
>>>and we are all expected to download and install something called the
>>>Microsoft Authenticator App.
>>
>> It doesn't have to be Microsoft Authenticator App. Despite what you have
>> been told, any authentication app will work equally well. They are all
>> considerably more secure than SMS 2FA. Personally, I use Google
>> Authenticator, although if you want something unconnected to any of the
>> big names then Authy has very good reviews.
>

>The latest incarnation of Google Authenticator keeps a copy of your 2FA
>seeds in your Google account. Which means switching to a new device is
>trivial.

Yes, although that does also, at least in theory, make it less secure as if
Google's storage was ever successfully hacked, then your credentials would
potentially be exposed. Some people are not happy with that, and therefore
choose to use other apps.

Mark

[Andy Burns]

Tony The Welsh Twat wrote:

> IT have announced that as of 1st November, this process is being
> changed and we are all expected to download and install something called
> the Microsoft Authenticator App.

Ignoring the legal aspect and speaking of the technical aspect ...

In my experience, websites which claim to require a specific TOTP app
(most frequently Google's or Microsoft's), will work with other generic
TOTP authenticators, e.g. EnPass is a password safe that installs onto a
PC and includes TOTP functionality, there are many others ...

[Tony The Welsh Twat]

Ok just an update - I was present at the IT CAB meeting on Thursday where this proposal was going through final sign-off before release on 1st November and I made my objections known.

So now it's on pause while IT liaise with the Senior Exec Committee - apparently I am not the only one who has raised concerns (one other individual was offered a company mobile phone and he/she declined as they believed it was P11D-able (although I'm not sure if that is the case)).

So at least my company aren't press ganging us into this.