Forum Discussion
MFA without a Cellphone
This is becoming a bigger issue more and more. We cannot, as a company, require our Employees to use a personal cellphone to get text codes or install work apps to authenticate our work accounts. ...
We've looked into this as well but cannot find a vendor in Canada or US that fully supports it.
I'm not sure why you can't have users use personal devices for auth - most companies I deal with do exactly that.
What if you give users the option - Use your personal device for the authenticator app (even for work email maybe?) or the company provides a phone that is ONLY for work and they'd have to have that with them. Given the option, I think most would opt for using their personal device rather then carry an additional device and the problem would be resolved.
What if you give users the option - Use your personal device for the authenticator app (even for work email maybe?) or the company provides a phone that is ONLY for work and they'd have to have that with them. Given the option, I think most would opt for using their personal device rather then carry an additional device and the problem would be resolved.
- not the same, i can leave my phone at home everyday, or pretend i don't have one, you can't force it as a company. I think you're just looking for the easy way out, 50% of Americans don't have a mobile phone.
that puts the responsibly the on the employee to have a mobile phone, to pay for one, to have a data plan, to no forget it everyday, to have it functioning and not broken or lost or not charged. what then? this is the problem today, companies want this or that, but don't want to pay for it. 50% of Americans still don't have or use a mobile phone.
Interesting idea, but not available to ourselves as a chemical plant were phones and other devices that don't meet regulations cannot be taken so they are stuck in certain parts of the plant where authentication fails them. Surely there has to be something simple with a mifare reader that would then code/encrypt the details so once card read it authenticates with it's own date time and device it's attached to.
Microsoft already had been sending me the text message code (we were mandated to do that when we were not allowed to come in during the Covid lockdowns), but in addition to the password and my personal cell phone to be sent a code, they are telling us we need to link a personal email account for I do not know what reason because I do not check my work email form my phone, only from the work laptop. That is where I draw the line.
They overstepped with this additional invasion of privacy with this demand so I now refuse to work from home and I refuse to check my email to keep up on work when I am off or away from the office. In the end it is their loss, not mine. I donate much less time to the company now.
The whole goal of this is confirming you are you through something you are (biometric), something you have (a phone or RSA type card), or something you know (unique information only you have knowledge of). Unfortunately, the "something you know" is already taken up by your password. So if you have ANOTHER password, it would just be a duplicate of the same FACTOR - something you know - like a secondary password. Hence the problem. I absolutely hate having to deal with it, but I do understand the reason for it.
- The point it, private is private & work is work. Don't force an employee to link the technologies. With all this hoopla I am starting to wonder why a software company is trying to force this issue by not simply leaving things with a passwords and question/answer.
- the option should be password and question driven with no need for a secondary devise (private phone) or non-work email address(again, private).
Private phones and private email addresses should remain private.
Linking work and private technologies in this ways could mean employees are giving consent to access personal information through implicit consent of the link. - Do you have a link for the token2 token card you suggest trying?
acjohns1986 Seriously, buy one of the token2 token cards on amazon and give that a try. It worked great for us. It's like $40 and if it doesn't work you aren't out that much, but i'm pretty sure it will work. That was our workaround for this type of situation.
- Well with the recent update I even have employees that have a smart phone but its not quite up to date enough to download the app, so they are also just out of luck? The fact that we purchased software, and this was rolled out after, is a joke.
luvsql Plus not all employees have cell phones - some choose not to [by necessity or preference]. Also there is the issue of people leaving and trying to get access to accounts - that has been a headache - even with resetting accounts - especially on non-MS apps used by the company that are shared log-in but only able to have the one MFA.
cpbowcpbow The Authenticator app doesn't require or need any form of network connection if you select the OTP (Code method). Once registered to the user account - it constantly generates codes every 30 seconds or so based on an algorithm or seed which was linked with Azure at time of registration. So when a webpage displays "Enter the Code from your Authenticator" type message - it already knows what the correct code should be - and if you type in the correct code shown in the app - then you get access. The App itself doesn't need to transmit that code to Azure.
MatthewShulman Absolutely not - I want absolutely nothing for my workplace on my personal device. I had the option to use my personal device for work, and I declined. My personal life and work are completely separate and should remain such.
cpbowcpbow Yes the app will work with just wifi.
- I have a question: I currently have a cell phone (but no phone number); hence for the moment, I have only WiFi access (at home, work, or elsewhere). If I put the auth app on my phone, would my company's MS mail server be able to send a code to the app if I was on WiFi? I have read a bit here on the MS site, and I haven't seen this discussed.
Until just a couple months ago, I had a T-mobile account that gave me 100 texts, after which is was 10 US cents/text; my impression this was to send OR receive. I text rather rarely and it was an unusual month that I sent received > 20 texts. However, if I had to receive an MFA text, possibly even >once per day, I'd be over the free allotment. It wouldn't be that much, but not negligible, either. I expect my next plan to have unlimited texting, but a company should not assume this. While I am waffling on cell phone carrier, I've been unable to access my company's email for almost 2 weeks. (They dropped the receive call at land line option, because the found it to be unreliable.) I work in a lab and can get by without constant email access, but at least once I didn't know of a data need as quick as I should have. Companies need to consider whether everyone has (free) access to texts.
I object and resent being forced to use MFA that only allows for a telephone or a cell phone. It's obnoxious, and not hack-proof. Banks in particular want access to everyone's personal devices, and I just fired a bank for that very reason. No one likes being bullied by giant, greedy corporate entities. There are 3 levels of security to access my account online, and was still forced to waste my time with their MFA BS. bye bye bullies. Personally, the entire banking system should be EMP'd so the world can reset what is of value, and what isn't.
luvsql Not to mention that on top of that half the office I support they don't receive mobile signal anyway - work or personal mobile phone won't work
- If Microsoft would make it easier for businesses to buy USB or Fobs for MFA we wouldn't be having this conversation. I still haven't figured it out and it now seems we have to switch to passwordless but just want a way to authenticate without a phone. Cleary there is a need.
- Agree its not reasonable for business to force any employee to meet business goals.
But do these employees / associates never use business resources (internet / pc etc.) to for personal use ? Chet2142
It seems this day and age that expecting one to have a cell phone is akin to expecting them to have a car or other means to get to work. If there's laws that prevent it, that's one thing but otherwise I think it is very reasonable for a business to require an MFA app or text to login. If one does get charged for the texts, then a simple solution is to allow them to expense that cost.Even if the carrier doesn't charge for text messages it's besides the point. The business plan shouldn't be to require your employee have a personal cell phone. While nearly everyone out there does you do have some that wont. Many services require the consumer to have a cell phone for MFA. But that is them providing a service to a consumer. That consumer could choose to not enable MFA or not use that service. We are talking about associates being required to do something to improve security for that business. Unless you have them on a business cell plan the requirement (or provide them a kickback on their personal cell plan) to use a personal phone to perform an expected work function is wrong. Vicks1x365
- In Canada they sure do.
luvsql I don't think any carrier charges for incoming TEXT even when travelling abroad , its only when you send out.
I used to travel a lot and never got charged for receiving the TEXT (SMS).
