this post was submitted on 24 Apr 2024
50 points (94.6% liked)

Asklemmy

43898 readers
1192 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy πŸ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
 

So recently my work, a mid sized engineering firm, decided to start upgrading their IT security. The rumor is that we have potential DOD work coming our way. Over the past few months there has been multiple company decided changes to our 2 factor authentication mobile app. I willingly installed the app on my phone over a year ago because without it I could no longer use my laptop out of office and couldn't use Microsoft teams or outlook on my phone.

So about 2 months ago my company updated the 2FA policy and because of that, my phone is no longer compliant on the basis of it being to old. The initial consequences were that I lost access to email and teams on my phone, not a big deal because I prefer not to think about work on my off hours. Fortunately, I could still use a txt message to 2FA into my laptop incase I did need to work from home.

Fast forward to last Friday, our IT director sent out an email saying they were again making changes to the 2FA policy over the weekend. Among other things, the changes included removing the txt 2FA option, meaning I could no longer access anything work related as soon as I step out of my office building. Sounds like a dream right, and a good excuse to fall back on.

Come Monday, I find out that I need to use the 2FA app to access our payroll software to fill out my timesheet, even when I am inside the office sitting at my desk. Luckily, I filled out my previous weeks timesheet on Friday. So next Monday, as far as I'm aware, I will not be able to fill out my timesheet to get paid.

My situation: I will admit I am stubborn about buying new electronics, my phone is a Samsung S8 that I bought in 2017 when it was brand new. I currently see no benefits of anything the new phones have to offer but the day my phone decides to die, I will gladly walk into a store and buy a brand new android phone. My work does not provide cell phones and has refused my request to compensate me for my work related phone usage. I have been very vocal to my manager and bosses that they cannot force me to buy a new phone just to continue doing my job efficiently, and now it seems doing my job at all. The responses I have recieved were very indirect and not at all helpful to my situation. Really, I just want them to give me an ultimatum or some other option. I am not willing to lose my job over this but I dont want to give in and buy a new phone just so I can click OK on an 2FA app.

So Lemmy, how should I approach this ticking time bomb?

you are viewing a single comment's thread
view the rest of the comments
[–] mp3@lemmy.ca 46 points 6 months ago* (last edited 6 months ago) (2 children)

If there is a technical requirement for you to do the job as an employee (not a contractor), the employer is expected to provide the necessary tools for you to accomplish the tasks they require from you.

With that said, which 2FA methods are available? Is it a proprietary app or you can enroll a TOTP (ie: the QR code)? Are they support hardware tokens (WebAuthn, FIDO2, Passkeys? If they do, they could simply provide you something like a Security Key, which is quite affordable and does thenjob quite well

[–] Kache@lemm.ee 21 points 6 months ago (2 children)

Must be proprietary, bc TOTP shouldn't be blocked by age of the device

[–] markstos@lemmy.world 20 points 6 months ago

Companies have policies that phones must be receiving security updates.

[–] KazuyaDarklight@lemmy.world 6 points 6 months ago (1 children)

That might just be the default though, they had sms until this change, so TOTP may still be on the table.

[–] kn33@lemmy.world 5 points 6 months ago (1 children)

They could be requiring phishing-resistant MFA, which OTP is not

[–] CluelessLemmyng@lemmy.sdf.org 7 points 6 months ago

Likely this. If they need to be FIDO2 compliant, then OTP and TOTP will be blocked. Personally, I would demand a company-provided phone for work.

[–] TheDarkestShark@lemmy.world 7 points 6 months ago (3 children)

My company is very good at giving me and my coworkers the best available, my workstation plus my laptop are probably around $5000. That is why it is so hard for me to believe they will not reimburse me for a new phone, I have feeling they do not want to set that precedent.

I currently use a 3rd party app called DUO, previously there were several options for 2FA, txt, call, email, and push notification. Now the only options are push notification (will not work on my phone) and administrator backup code. The IT guy had mentioned the security key option, but he said they would not work on most of our desktops because they are all custom built PC's, not sure of the specifics on that one though, I might bring that up to him again. I keep saying a good invention would be a little Wifi pager device that's sole purpose is 2FA.

[–] Bitrot@lemmy.sdf.org 16 points 6 months ago* (last edited 6 months ago) (1 children)

Company business should only be done on company phones. They may not want to set the precedent, but them they need to grow into a mature company. Really not worth it for employees if there is ever a discovery process.

If they are using something like Duo, there are offline tokens because some places (especially in DoD-land) don’t allow cell phones or simply have no service.

[–] lolcatnip@reddthat.com -2 points 6 months ago

As far as I can tell, using your personal phone for things like 2FA is allowed as a convenience to employees. Very few people want to carry two phones.

When I worked at Google, the policy seemed to be that anyone could get a company phone, but almost nobody actually had one. I say "seemed" because I never asked for one. I suppose it's possible many people asked and were denied, but I doubt it, because Google would give out hardware like it was candy, often to people who have even asked for it. I can remember being given at least one phone and two tablets completely unprompted, with no instructions to use them for anything in particular.

[–] ricecake@sh.itjust.works 6 points 6 months ago (1 children)

That device you mention exists, and it works with most computers that have Bluetooth (I can't think of an example where it hasn't).

You should be able to use a device that'll show up if you search "Bluetooth fido2 u2f". Your administrator may need to enable webauthn security keys in the admin panel for Duo.
Many of the devices also support a USB mode, so if you can plug in or it has Bluetooth it's compatible.

https://thetis.io/products/thetis-ble-u2f-security-key https://shop.ftsafe.us/collections/fido2/bluetooth

Aside from this being a totally solvable problem without you getting a new phone, and with very reasonable steps and affordably: you should really get a new phone.
Feature wise the phone might not have anything you need, but your current phone has stopped receiving security updates, which is an issue. In general you should have a phone that is still receiving timely security updates.
Having an unsupported phone is like having a front door with a lock that's possibly broken. It "works" in that it covers the hole in your house, and it might stop someone who wants to walk in, and the likelihood that someone tries is probably low, but there's a good chance that if someone did try, they would find it hilariously easy.

It's reasonable for your employer to only allow authentication from a secure device, which unfortunately yours is not.

[–] AlexanderESmith@kbin.social 13 points 6 months ago (2 children)

Reasonable to allow only secure devices for work: Yes

Reasonable to expect the employee to provide such a device: No

Work should only be done on company hardware (including auth). Especially if they're going to be that concerned about security.

[–] Zagorath@aussie.zone 4 points 6 months ago

Work should only be done on company hardware (including auth)

Personally, if it were standard TOTP I'd be happy to add that to my Authy. But if whatever system they want required me to get a new phone? Nah fuck that. But me a work phone.

[–] ricecake@sh.itjust.works 1 points 6 months ago (1 children)

Eh, it's mixed. People in the US are pretty varied about how they feel about using their own devices. Some people feel the way you do and others feel it's annoying to have to carry an extra phone.
It's one of the reasons android phones have the work profile feature to allow the segregation of work apps and data from personal. Even let's you have management software on the work profile so the employer can do remote wipe and all management without impacting the users personal data.
Most people have phones that get regular security updates, so they don't have any issues.

It's an area where there's little consensus about the best approach, even amongst the largest or most well orchestrated companies.
It's why they definitely should have enabled webauthn authenticators and been okay with reimbursing or providing one.

[–] AlexanderESmith@kbin.social 1 points 6 months ago* (last edited 6 months ago)

I mean, lack of consensus notwithstanding, the logic tree should be pretty simple;

  • Employer demands secure device

    • Employee has one personally and is willing to use it for work

      • Employer allows use of personal device

        • Problem solved
      • Employer isn't comfortable with BYOD, provides a device

        • Employee accepts the new device

          • Problem solved
        • Employee doesn't accept the device, can't do their job, is fired

          • Problem solved
    • Employee either doesn't have one, or refuses to use their own

      • Employer provides one

        • Problem solved
      • Employer refuses to provide one

        • Employee realizes the company sucks, quits

          • Problem solved
        • Employer gets shitty about it, fires the employee, employee sues and easily wins

          • Problem solved
  • updated for more scenarios

[–] mp3@lemmy.ca 5 points 6 months ago

IT guy had mentioned the security key option, but he said they would not work on most of our desktops because they are all custom built PC's

I'd be surprised if they didn't work, for FIDO2 all it needs is an OS that can do HID over USB (basically everything) and a browser that can handle it.

The only issue I could see is if they disable the USB port for security reasons.