Forum Discussion

luvsql's avatar
luvsql
Steel Contributor
Mar 09, 2021

MFA without a Cellphone

This is becoming a bigger issue more and more.  We cannot, as a company, require our Employees to use a personal cellphone to get text codes or install work apps to authenticate our work accounts.  ...
azure
luvsql's avatar
luvsql
Steel Contributor
Aug 18, 2021
We can't force our employees to use their own personal device for work purposes. That is just not allowed or enforceable (at least it's not in Canada for privacy concerns).

We should also not have to provide a corporate phone to a user that will solely be used to authenticate (which may be only once every 60 days) when we already pay for their AD license with Office. Even the cheapest plans require contracts and hundred of dollars a year to maintain just for 1 Employee.
MatthewShulman's avatar
MatthewShulman
Brass Contributor
Aug 18, 2021

luvsql 

 

That's why I suggested giving the option.  I would think it would be ok for someone to opt to use their own phone?  If so, then giving them a choice I would think the majority would opt to use their own?  

  • Leapfrog_1-3's avatar
    Leapfrog_1-3
    Brass Contributor
    Dec 18, 2023

    tfrain 

    Microsoft already had been sending me the text message code (we were mandated to do that when we were not allowed to come in during the Covid lockdowns), but in addition to the password and my personal cell phone to be sent a code, they are telling us we need to link a personal email account for I do not know what reason because I do not check my work email form my phone, only from the work laptop. That is where I draw the line. 

    They overstepped with this additional invasion of privacy with this demand so I now refuse to work from home and I refuse to check my email to keep up on work when I am off or away from the office. In the end it is their loss, not mine. I donate much less time to the company now.

  • tfrain's avatar
    tfrain
    Copper Contributor
    Dec 15, 2023

    Leapfrog_1-3 

     

    The whole goal of this is confirming you are you through something you are (biometric), something you have (a phone or RSA type card), or something you know (unique information only you have knowledge of).  Unfortunately, the "something you know" is already taken up by your password.  So if you have ANOTHER password, it would just be a duplicate of the same FACTOR - something you know - like a secondary password.  Hence the problem.  I absolutely hate having to deal with it, but I do understand the reason for it.

  • Leapfrog_1-3's avatar
    Leapfrog_1-3
    Brass Contributor
    Dec 15, 2023
    the option should be password and question driven with no need for a secondary devise (private phone) or non-work email address(again, private).
    Private phones and private email addresses should remain private.
    Linking work and private technologies in this ways could mean employees are giving consent to access personal information through implicit consent of the link.