1

There are many questions here involving using ones personal phone as a phone for work purposes, and the answers tend to indicate that it is quite reasonable, even recommended, not to use a personal phone for work purposes, at least for voice calls.

It is getting more common these days for IT services for work (email, VPN) to use a authentication application to algorithmically generate a code that is generated from a key and the time. This is defined in HMAC-SHA1 and implemented by many different applications such as google or microsoft authenticator and the oathtool CLI. These are marketed as multifactor authentication, though strictly that should be different types of information (eg. something you know and something you have), rather that two different things you know. These tools can be run on the same device that is doing the connection, meaning that the two different things you know are stored in the same place, potentially reducing security.

Assuming one was assigned a work laptop but not a work phone, and required to access such services protected by such a system. What are the possible consequences for refusing to use ones personal phone for the authentication and install all the tools required on the single device that is assigned? Is there some other way for multi factor verification? Is it possible to do this without using my personal phone.

Old_Lamplighter
  • 159,693
  • 108
  • 436
  • 585
User65535
  • 1,011
  • 6
  • 12
  • What will they do if you "forget" your phone and leave it at home? Will they log you in anyway? What happens if your phone is lost or stolen? And what will they do, or say, if you use an old phone for the ID login and leave it in your desk each evening... – Solar Mike May 17 '22 at 12:01
  • @SolarMike If you do not have the phone you will not be able to access the services. There is a way for them to generate a new secret to replace the old one if one lost the phone. This is a bit hypothetical to answer as to what they would say, but the issue with leaving the secret in the office would be when one is working from home or otherwise out of the office, otherwise pretty similar to having it on the laptop. – User65535 May 17 '22 at 12:04
  • So, you turn up to work but can't work. Is that your fault? An employer requiring personal equipment to allow you to work seems wrong no? – Solar Mike May 17 '22 at 12:06
  • @SolarMike I kind of agree with you, the system seems broken (esp. considering that it is not really 2FA). However it is implemented by my current employer, and I do not think it this is rare. – User65535 May 17 '22 at 12:10
  • Also, if you have an older phone and their software does not run on it - I have an iphone 6... Will they force you to buy an upgrade? – Solar Mike May 17 '22 at 12:14
  • 4
    I've voted to close this as "opinion based" because what is reasonable for one person may not be reasonable for another. If you have a specific objection to this, you should explore the options with your employer - for example, I know employers which will provide Yubikeys as an alternative to using a phone. – Philip Kendall May 17 '22 at 12:16
  • 1
    Out of curiosity, why isn't using an authentication app 2FA? I use one and it means to access resources I have to know something (my password) and have something (my phone, with the app correctly configured on it) – matt freake May 17 '22 at 12:16
  • @mattfreake The app uses something you know (the key you gave it when you set up the app, something like OULBOUDSYOUVL8N9) to generate the code, and you only need to know this key to generate the code. This is more obviously the same if you store your password in a password manager (you do use a long string of random characters don't you?). In both cases you have something you know embedded in a software tool stored on a device. Both are accessible to remote access if the device is not secure, both are available to a thief if they get physical access to the device. – User65535 May 17 '22 at 12:27
  • @PhilipKendall I edited it, so as not to be opinion based. Please reconsider your vote – Old_Lamplighter May 17 '22 at 12:35
  • @Old_Lamplighter I cannot see your edits? Did you miss-click? Feel free to improve the question if you can. – User65535 May 17 '22 at 12:44
  • @User65535 Wow, they didn't take thanks – Old_Lamplighter May 17 '22 at 12:46
  • 1
    @User65535 it took that time – Old_Lamplighter May 17 '22 at 13:00
  • 2
    Buy a burner phone and show up to work with it. Ask them how you can authenticate with your device to be able to do your work. Let them figure it out. – sf02 May 17 '22 at 16:43
  • In many cases you have to enter the number of your (private) phone for 2FA. Outside the workplace Twitter was caught using these numbers to slam their users with ads, and has today been ordered to pay $150,000,000 for this. – gnasher729 May 26 '22 at 21:13

4 Answers4

11

What are the possible consequences for refusing to use ones personal phone for the authentication and install all the tools required on the single device that is assigned?

  1. You will create yourself a reputation as someone who makes a stink for the sake of making a stink. While most private cell phones are off limits for work use, authentication is a reasonable request with almost zero impact on your device and/or data personal integrity
  2. Whatever backup policy the company has will kick in. People lose, break, and/or forget their mobile devices all the time. There has to be some sort of alternative route to log in, otherwise the company would lose countless hours of productivity
  3. Depending on how invasive or cumbersome the alternative methods are, both you and the company need to decide whether they want to live with this permanently, find an alternative, or end the employment.
Hilmar
  • 120,104
  • 36
  • 233
  • 374
  • I disagree with point 1. If I'm required to use a device for security purposes (like 2FA) at work, the company should not only foot the bill for the device (what if I don't have a smart phone, and use an old flip phone for personal reasons), but should also be responsible for the security policies and contents of said device. Leaving authentication to my personal device is opening a gigantic hole in the security of the business. – GOATNine May 17 '22 at 13:29
  • 1
    +1. I’d go about getting a work device for the person but would be thinking “hmm, I may have made a hiring mistake here” the whole time. It’s one step from “how can I be expected to not be late if the company doesn’t buy me a watch!?!” It’s why I pay you a good tech salary. – mxyzplk May 17 '22 at 13:45
  • 1
    GOATNine, do you actually use an old flip phone for personal reasons? Really? BTW It is called 2FA - Two Factor Authentication. You need your username and password on one hand, and the phone with a 2FA app installed on the other hand. The app alone wouldn't help anyone. – gnasher729 May 17 '22 at 13:52
  • 1
    @gnasher729 I don't know what kind of phone GOATNine has, but I do have an old flip phone for personal reasons. And thankfully my company allows receiving one-time passwords by SMS, because I can't install any 2FA apps – Esther May 17 '22 at 14:03
  • @gnasher729 I do actually use a flip phone for personal use. Despite the difficulty in finding flip phones these days, they are cheaper, server the purpose I buy them for (send and receive phone calls and SMS/MMS), and don't have the inherent security risks a smart phone has. My wife's iPhone, for instance, automatically stored her CC details unprompted. It's a default setting that you have to know to turn off. My sister didn't realize that her iPhone was automatically backing her photos/videos to the (public viewable) iCloud until she had me look into why her data usage was so high. – GOATNine May 17 '22 at 14:03
  • @gnasher729 I also appreciate the condescension. I'm a controls engineer, and use technology from 1970-present day regularly both at work and at home. I have 2FA for my Heroku account and a few other services I want to keep safe. I keep that 2FA behind a high-entropy password access laptop. I do sacrifice some convenience by not having it ready-to-hand, but it's worth the increase in security. – GOATNine May 17 '22 at 14:07
  • Regarding 2. The setup might be for use in home office (in the office you already have some sort of 2FA with computer password + physical access to the office). In this case the backup policy is simply: "you didn't work". Time in home office only counts as work time if you connect to the company network using your laptop. – quarague May 18 '22 at 11:06
4

I expect my employer to be flexible, especially if it doesn't cost them anything. On the other hand, I'm flexible, especially if it doesn't cost me anything. My phone is near me, usually in my pocket, all the time. A second phone from work would be very inconvenient for me because my trouser pockets are not that big. So I find it very natural to use my own phone for 2FA. I use it for private 2FA anyway (lots of things in your private life require 2FA); having two phones for this purpose is just daft.

I fully agree with Hilmar who could it "someone who makes a string for the sake of making a stink". So what might happen? Your employer might lose his flexibility, say if you need to leave an hour earlier. Or if you want to work from home. You might be overlooked for opportunities in the company. It will damage your reputation. And nobody will say "it's clever" or "he stands up for his rights".

gnasher729
  • 169,032
  • 78
  • 316
  • 508
2

There is a significant difference between using your personal phone as an authenticator device and using it for other work purposes (like phone calls, emails, messaging, etc.).

When you use your work phone for other purposes, there's an exchange of data. If you make or receive calls, other people have your personal number. If you send or receive emails, you will have company proprietary data on your personal device or risk sending a personal file instead of a company file. In cases where companies do allow a personal phone to be used, in my experience they also require applications and permissions to remotely wipe the phone. I'd classify all of these as risks around data.

However, just using an authenticator app, there isn't a huge risk of data loss (either your personal data being sent or company data being mishandled). However, depending on the authentication scheme, there could be risks around what happens if the phone is lost or damaged and the employee is no longer able to access the authentication. Phone insurance may help mitigate some risks, but it may be an added cost for the employee.

From a technical standpoint, I don't see many issues with using a personal phone as a factor for authentication. However, I would talk to my manager about reimbursing at least some costs, such as the added cost of phone insurance or the cost of the physical device if a replacement is needed.

Personally, I would probably initially refuse to use my personal device for any work activities, including authentication. I like the hard separation between my work life and personal life, and being able to ensure that the tools I need for work and protected and secure when I'm not working would be important for me (and I'd assume the company). I'd ask for a company-owned and managed device. The risks of asking for this depend on your organization. However, if you need two-factor authentication and your company won't get you a device, I can see this being an issue. Depending on the services you are authenticating into, there may or may not be alternatives to using a phone.

I wouldn't necessarily push too hard against this request, though. It seems a rather low-risk (for you) concern to risk your standing in the company.

Thomas Owens
  • 21,779
  • 7
  • 80
  • 101
  • The primary data risk I face at my current employer (who are happy for me to use oathtool on the laptop) would be if a funding body such as the NIH did an audit they would require all devices you on the project to be available for inspection. This could include a mobile phone if used for anything to do with the work. – User65535 May 17 '22 at 13:17
  • 6
    @User65535 Thinking that using a device as an authentication factor would require it to be made available for inspection is a bit of a stretch, especially since no project data is stored there. I would have to see the regulations, contracts, and agreements, but I would have a hard time believing that is the case outside of extreme interpretations. – Thomas Owens May 17 '22 at 14:39
  • They couldn’t ask for your hands if you use a finger print sensor. Currently I have a phone app which shows me a six digit number that I type in manually. My phone cannot in any way access the company network. – gnasher729 May 21 '22 at 13:31
-3

Your personal property is not the property of the company you work for. Requiring you to use a personal device for anything security related is a Bad Idea™. Not only is the security of your personal device beyond the scope of their IT systems (which can defeat the entire purpose of using 2FA during a targeted cyber attack), but the security of your device is entirely maintained by you. How often do you update your device when prompted? How often do you leave your device unattended? How often do you change your access method to your device? None of these are regulated for your personal device.

What if you don't have a smart device to work with that's capable of 2FA? I have a family member who didn't get their first smart-enabled handheld device until 2019, and that device was purchased and issued by the company they work for.

If your device is stolen, lost, damaged/destroyed or otherwise unable to be used for 2FA, what timeframe are you expected to rectify the situation in? Must you foot the entire bill for that? Or will the company share the cost, as it's their system that requires your device to be functional.

Even your choice of personal device could impact it's security. Do all mobile OS have the same vulnerabilities and strengths? Will your company require you to purchase a specific brand of device to simplify security on their end? If so, will they comp the cost, or will you be required to foot that bill as well?

Security is never simple, even in the case of a "simple" 2FA connection. If the security needs call for 2FA access, then the data is important enough for the company to provide a device for you to use for that purpose.

Additionally, if a data breach is traced back to your account, due to your device being compromised, what's your personal liability in the matter?

To the heart of your question, refusal to use your personal device, when approached in a non-aggressive, non-confrontational manner should not raise any red flags with your employer. I would bring up to your employer the potential for personal liability when security is verified through your personal device, and state that you're not comfortable with that. Provide that using 2FA through your laptop, or another employer supplied device is not an issue, as it removes your personal liability from the mix as much as possible, and should simplify security on their end. Any reasonable employer will treat that as fair and work with you on the matter.

GOATNine
  • 6,467
  • 4
  • 24
  • 37
  • While I don't necessarily disagree with this, I don't think it answers the question which is "What are the possible consequences for refusing to use personal phone for authentication?" – Philip Kendall May 17 '22 at 13:53
  • 1
    @PhilipKendall Agreed, I will address that in an edit. I got too rant-y and not enough focused on topic. – GOATNine May 17 '22 at 13:54
  • 1
    I have two family members who don't have a "smart-enabled handheld device" at all - they are both three years old. And another one, she is 98. If you lose your phone, you would have lost a company phone as well, so that's no argument. And if you lost your phone without 2FA on it, you would pay for a new one and nobody else. If you are working from home, then obviously you can't work from home until the situation is sorted; either take holiday or come to the office. And as Hilmar said, there's the problem what the company, your manager, and your colleagues think of you. – gnasher729 May 17 '22 at 14:16
  • @gnasher729 the typical goal of 2FA is to increase security. I'm merely pointing out all the ways in which using a personal device reduces security, subject to the individual who owns the device. Its cute that you felt the need to compare me to a pair of toddlers (mine doesn't have a smart device either, just FYI) and an elder in your family. but I don't really see how that brings any value to this discussion. As stands, it feels more like an attempted personal attack, inferring that my unwillingness to have a smartphone is somehow childish. – GOATNine May 17 '22 at 14:25
  • 1
    Your last sentence is absolutely correct. That's my conclusion, and that will be your employer's conclusion, and that answers the question. – gnasher729 May 17 '22 at 14:27
  • @gnasher729 Be nice still applies to you – GOATNine May 17 '22 at 14:32