Employer requiring MFA for work email on personal phone

Employer requiring MFA for work email on personal phone

Author
Discussion

Brainpox

Original Poster:

4,136 posts

158 months

Wednesday 15th November 2023
quotequote all
One I’d like to get the opinion of the collective on. I’m not sure whether to be precious about it or not laugh

I work in the NHS and all NHS mail (NHS.net) users are expected to enable MFA via their personal mobile phones in order to access work email. Either via SMS or authenticator app.

On the one hand, I’m not sure why I should be using my personal device for work matters. Email is essential for communication and if MFA is required then should this be provided on a work device? I could be stubborn and refuse and make my work life a lot quieter without access to email!

On the other I have my phone on me anyway so it’s not really a big deal.

Maybe I’m just concerned about work creeping into my personal life. Just wondered what the hive mind here thought about it?

ETA to clarify, this is to access email on any device including work PCs with a new code required for each device

Edited by Brainpox on Wednesday 15th November 09:42

TheLurker

1,420 posts

203 months

Wednesday 15th November 2023
quotequote all
My view has always been quite clear on such things. If work wants me to have emails etc on the go, provide me with a work phone. Work phone for work things, my own phone for private things.

Interestingly, a lot of people I know who work for SMEs find that a strange concept whereas in larger businesses it seems to be the norm.

Mr Pointy

11,838 posts

166 months

Wednesday 15th November 2023
quotequote all
Just buy a second cheap phone then you can turn it off when not working.

Zetec-S

6,260 posts

100 months

Wednesday 15th November 2023
quotequote all
Unless I'm misunderstanding, they just want you to install the MFA app on your phone, not set up your work emails on your personal phone? In which case is it really a big deal?

I have MS Authenticator installed on my personal phone - it just generates the code when I need to log in to something at work from time to time. Emails are limited to work devices.

Mr E

22,126 posts

266 months

Wednesday 15th November 2023
quotequote all
I would see it as not a big deal, but you absolutely can say “no thanks” and they should provide an alternative method.

Sycamore

1,924 posts

125 months

Wednesday 15th November 2023
quotequote all
Is it that big of an issue? They're not asking you to have work emails come through your personal phone.

Propose an agreement with them - No MFA to come through your personal phone, and in exchange then if anyone sees you so much as touch your personal phone during working hours, they are allowed to shoot you in the leg.

caminator11

391 posts

105 months

Wednesday 15th November 2023
quotequote all
We issue MFA tokens for edge cases like yourself who won’t install a 2FA app on a personal device. Its a lot cheaper than issuing a work phone.

greygoose

8,641 posts

202 months

Wednesday 15th November 2023
quotequote all
Zetec-S said:
Unless I'm misunderstanding, they just want you to install the MFA app on your phone, not set up your work emails on your personal phone? In which case is it really a big deal?

I have MS Authenticator installed on my personal phone - it just generates the code when I need to log in to something at work from time to time. Emails are limited to work devices.
That's what I thought it would be and my other half has it on her mobile to generate a code to log on to her laptop for work emails.

Countdown

42,033 posts

203 months

Wednesday 15th November 2023
quotequote all
Brainpox said:
One I’d like to get the opinion of the collective on. I’m not sure whether to be precious about it or not laugh

I work in the NHS and all NHS mail (NHS.net) users are expected to enable MFA via their personal mobile phones in order to access work email. Either via SMS or authenticator app.

On the one hand, I’m not sure why I should be using my personal device for work matters. Email is essential for communication and if MFA is required then should this be provided on a work device? I could be stubborn and refuse and make my work life a lot quieter without access to email!

On the other I have my phone on me anyway so it’s not really a big deal.

Maybe I’m just concerned about work creeping into my personal life. Just wondered what the hive mind here thought about it?

ETA to clarify, this is to access email on any device including work PCs with a new code required for each device

Edited by Brainpox on Wednesday 15th November 09:42
if they expect you to access work emails on your personal phone then

1. The MFA thing is perfectly reasonable.
2. They should either be providing you with a phone or paying you a phone allowance



C5_Steve

4,831 posts

110 months

Wednesday 15th November 2023
quotequote all
If it's just installing an authenticator, personally I wouldn't care. It'll only be used when you're at work anyway so not really bleeding in to your personal life.

They're becoming more common for certain services anyway so chances are you'll need one at some point for something personal.

Moz_BLY

33 posts

79 months

Wednesday 15th November 2023
quotequote all
Had this when covid started, work required installing authenticator on personal phones. i dont do apps, not on any social media, just whatsapp. i kicked up a fuss, they said im the only one out of 400 people to object. they sent me an iphone se no contract just a phone.
its a personal things id say, if your not happy with it defo make a point, accepting this will just make it more difficult to reject further 'demands'.

Downward

4,078 posts

110 months

Wednesday 15th November 2023
quotequote all
C5_Steve said:
If it's just installing an authenticator, personally I wouldn't care. It'll only be used when you're at work anyway so not really bleeding in to your personal life.

They're becoming more common for certain services anyway so chances are you'll need one at some point for something personal.
Yes it’s an authenticator.

I’ve had this with some of my team and yeah it’s just extra security.

KarlMac

4,480 posts

148 months

Wednesday 15th November 2023
quotequote all
If it’s through the authentication app it’s not too much of a burden as you can always uninstall it if you leave.

Matter of principle I’d be asking for a work device because I’d expect NHS staff working with data sensitive enough to require MFA to also not have personal phones on them at work.

98elise

28,223 posts

168 months

Wednesday 15th November 2023
quotequote all
They will likely have an alternative for those that don't want it on their phone, probably a token.

Personally I would rather just have it on one device. Even when given a work mobile I don't use it, I just list my personal mobile as my mobile contract. I've never had a work call out of hours that wasn't justified.

Herbs

4,975 posts

236 months

Wednesday 15th November 2023
quotequote all
Seems to be a lot of misinformation of this.

Essentially its just an app on your phone that generates a random 6 digit code every 30-60 seconds that you need to enter when logging onto your work PC.

There is no work data or bleed into work appearing outside of work time.

We have just had to do this at work as well and after the initial grumblings which lasted a day or 2 from some staff, its now the norm and has zero impact apart taking 10 seconds longer to log in in the morning.

It also gives you the extra security that a colleague cannot log into anything as you, even if they know your password.

Jasandjules

70,502 posts

236 months

Wednesday 15th November 2023
quotequote all
If it is your personal phone then you are within your rights to refuse. If they "want" you to access emails via a phone they can supply one.

ATG

21,357 posts

279 months

Wednesday 15th November 2023
quotequote all
TheLurker said:
My view has always been quite clear on such things. If work wants me to have emails etc on the go, provide me with a work phone. Work phone for work things, my own phone for private things.

Interestingly, a lot of people I know who work for SMEs find that a strange concept whereas in larger businesses it seems to be the norm.
It's not a norm in big organisations.

It makes absolutely no sense to have to lug two phones around and most people don't want to be tied to whatever hardware the org stipulates, nor does it make sense for most orgs to be the purveyors of phones to anyone when their core activity is something entirely different.

Lots of crap orgs worried for far too long about "control" in general and cyber security in particular while not actually understanding it. Initially they only very grudgingly allowed staff to use their own phones and laptops for business purposes ... until they noticed that some of their competitors were doing it and that it made life easier for everyone. Then they all did it.

Being precious about this stuff is daft. Be pragmatic for your own benefit.

Mr Pointy

11,838 posts

166 months

Wednesday 15th November 2023
quotequote all
ATG said:
TheLurker said:
My view has always been quite clear on such things. If work wants me to have emails etc on the go, provide me with a work phone. Work phone for work things, my own phone for private things.

Interestingly, a lot of people I know who work for SMEs find that a strange concept whereas in larger businesses it seems to be the norm.
It's not a norm in big organisations.

It makes absolutely no sense to have to lug two phones around and most people don't want to be tied to whatever hardware the org stipulates, nor does it make sense for most orgs to be the purveyors of phones to anyone when their core activity is something entirely different.

Lots of crap orgs worried for far too long about "control" in general and cyber security in particular while not actually understanding it. Initially they only very grudgingly allowed staff to use their own phones and laptops for business purposes ... until they noticed that some of their competitors were doing it and that it made life easier for everyone. Then they all did it.

Being precious about this stuff is daft. Be pragmatic for your own benefit.
How would you feel if they insisted on installing remote wipe capability on your personal phone?

andburg

7,690 posts

176 months

Wednesday 15th November 2023
quotequote all
I have a work phone, my authenticator is on a personal device as its what I carry with me when im not at work. No work data, no work emails just an app that pops up when i sign in externally. It should really be no big deal.

My boss/team all have my personal number and know they can call me whenever and I'll try to help however i can and the same applies to everybody else.

I may be reading too much in but its sounds like you aren't have no dedication to the organisation/management or trust in your immediate peers. If havingan app on your phone is such a hurdle my advice would be go find somewhere to work that makes you feel like I do, where you are willing to do more than the basics of your contract without having to be compensated for it.

johnpsanderson

548 posts

207 months

Wednesday 15th November 2023
quotequote all
My employer uses MFA which I have to complete daily, even when fully on site. You can use an authenticator but you can also do it by phone/text. It annoyed me a bit at first as sometimes I run to work and prefer to leave my mobile at home (I expect a lot of people may find that hard to believe!), but as it allows authentication by a phone call too - I was able to setup the option for it to ring my desk landline, although how long that will last for, who knows!