Should employers pay for employees' phones if 2FA apps are required?
Should employers pay for employees' phones if 2FA apps are required?
Our organization is using Office365.
Either by accident, or just defaults getting increasingly more tight, Outlook won't connect to the account unless I allow it to be a device administrator.
On my personal phone, that's a hard no. So I'm using the PWA for the occasions I NEED to check email.
But a TOTP app of my choice, implementing a standard RFC protocol? I think that's okay, on the condition that it does not mean my phone is in scope for any regulations the company is mandated to adhere to.
Personal devices should _never_ be used for work.
That allows the line between self-owned work and employer-owned work to be thin/non-existent.
That can make it a lot easier for your employer to own your personal projects.
Don't do it. Don't use your corporate laptop for personal things, and don't use your personal equipment for corporate things.
If they want to use 2FA, they need to provide the 2FA device.
I do not mind as much using my own mobile if it is a TOTP standard that I do not need to install spyware for. I have already TOTP apps that I can add QR and it's not costly or difficult.
Any kind of third party internet required app? Do I required Microsoft Authenticator or Duo - always on push access, internet required, logs my phone's IP and location? They must pay for the device and the plan. If you want me enter MDM, Outlook, ActiveSync? They must pay for the device and the plan.
Absolutely. I had the case, that a team member had a smartphone running on Graphene OS and was not able to run the required 2FA app Microsoft Authenticator. An employer must not dictate the type of phone that an employee owns privately and cannot even enforce the use of privately owned phones or other resources, if they are needed to fulfill the work contract. So I asked the company to provide a company phone to my team member, which they did, despite having a policy not to do so.
My company wants me it install Microsoft Authenticator but I find that unacceptable. That is my personal device and installation of any app is my choice and my choice only.
That being said, TOTP is practically standard and every phone have a method of generating their own TOTP so I don't mind adding employer's company to my BitWarden or Apple passwords. Same way I would not have problem to have SMS as a MFA.
My employer pays for 1Password, and also a Yubikey. I don't have to use my phone for any work-related 2FA.
But yes, my policy is to absolutely never use personal devices for work, and vice versa. Complete and total separation. The laptop I use for work was paid for by my employer.
Employers should:
- Offer people a cell phone stipend, which the employee may or may not accept.
or:
- Issue a security key.
We choose to go with "We are issuing you a security key, bbbbuuuttt you can choose instead to use your phone at your discretion."
In the big picture, I think that an employer has the obligation to provide any equipment that is needed to do the job.
In the case of something like TOTP, though, I wouldn't insist that they provide a phone to use for it because it works without talking to any servers (unless I don't have a smartphone, of course).
My concern is to keep my employer's business and my personal business off of each other's systems. So if there's a requirement to use an app or to interact with company systems, then my employer needs to supply the equipment necessary to do that.
If it's necessary for the employee to do the work, then yes. However, there are cheaper alternatives to phones, for example we provide hardware tokens (they cost around $30-40, such as https://www.yubico.com/products/security-key/ ) for those who don't have a corporate smartphone and are unwilling to use their personal devices for 2FA.
Please no. 0 chance I want my phone to be controlled by some enterprise device management crap.
Employers should provide a dedicated 2fa device (maybe a phone) if the employee wants but I can't think of the security case for employers to need to control / remote wipe the 2fa device since they could lock the account it is providing access to.
If I am required to use my personal phone for work related 2FA and SMS(lots of services require a mobile phone number just to create an account), then I will start using work resources for my own personal benefit. Those GPUs are idle too much anyhow....
I had a thought recently along these lines. What if my phone breaks? I may not get a new one for a week or two. But work expects me to enter 2FA codes generated from my phone.
How about providing hardware security key instead? paid by employer in this case would be common.
They probably should, but they generally won’t.
If you use linux on your work laptop you can use oathtool to register 2fa. I have a custom script (with zenity) that, when pressing a global hotkey, allows me to fill the 6-number directly. No personal phone needed, and it's even faster. My work laptop is my work's 2fa device.
Well, the bigger question is, why is your employer using a 2FA mechanism that requires a phone?
I use an old iphone 8 for work 2FA apps and fall back to my phone number if the phone is dead or something . Only been in 1 environment that didnt allow that fallback and they gave me a phone. Ive been on both sides of this kind of policy and while many people would like to think they would make OP’s argument, Ive only ever had one person successfully argue it and…they were just given an extremely cheap old phone and a dongle.
I simply will not use my personal phone for work purposes. I hesitate to even make a call in a pinch. There's no way employer mandated apps are going on there. If an employer doesn't provide a phone but expects these things, I will simply make them figure it out / work out an alternative solution with them.
In the worst case I would be prepared to be fired over this issue.
Of course: if they need the security, especially if it can't be achieved with a standard TOTP generator, it doesn't really make sense to rely on whatever their employers have lying around (which could very well be not an Android/iOS phone, new enough, with enough space, bootlocked/un-rooted enough, or even a phone in the first place).
Does anything the employer require need MDM? If so then yes, in fact they need to provide the phone in that case. Otherwise no IMHO.
Since I don't allow anyone to install stuff on my personal phone - and they probably wouldn't want to store their secure data onto a device that I rooted anyway - then the only option is for the employer to provide a 2FA device.
It doesn't have to be a phone, though. Yubikey is good and affordable.
If my employer wants me “on call” and accessable, they can either:
A) provide a phone.
B) pay for part of my personal bill; but no MDM allowed.
C) be ok with me not always being available. I enter the job like this. I state I am also a firefighter, if I don’t answer, I’m involved. Managers can manage.
No, I don't think it would be necessary.
2FA via TOTP does not require a phone.
2FA via SMS does not require a phone, one can utilize a VOIP service that provides SMS.
2FA via hardware token - yes it should be provided for if needed in course of employment.
Be careful what you wish for. My employer pays for the phone that the 2FA app runs on. So I am the proud 'owner' of a 2016 iPhone SE.
(I don't use it for anything else but auth, of course)
Just like companies will not allow us to install "personal" software on company devices, we should not allow them to install "company" software on personal devices.
Hardware keys should be provided to all employees, because employees will use it for both personal and corporate authentication. It's a true win/win scenario.
Yes, employers should pay for the phone if they require on-call, 2FA, or any other reason that requires an employee to be pinged by mobile.
In fact, this should itself be a law.
Companies should pay for company phones.
The way I see it, the one who pays for the phone keeps it when both parties "part ways"
I'd be happy with those TOTP keyfobs. Is there any reason those are less common now?
My employer does not, they do cover my phone bill though.