Do I need a new phone for 2FA? (Tad Long)
So recently my work, a mid sized engineering firm, decided to start upgrading their IT security. The rumor is that we have potential DOD work coming our way. Over the past few months there has been multiple company decided changes to our 2 factor authentication mobile app. I willingly installed the app on my phone over a year ago because without it I could no longer use my laptop out of office and couldn't use Microsoft teams or outlook on my phone.
So about 2 months ago my company updated the 2FA policy and because of that, my phone is no longer compliant on the basis of it being to old. The initial consequences were that I lost access to email and teams on my phone, not a big deal because I prefer not to think about work on my off hours. Fortunately, I could still use a txt message to 2FA into my laptop incase I did need to work from home.
Fast forward to last Friday, our IT director sent out an email saying they were again making changes to the 2FA policy over the weekend. Among other things, the changes included removing the txt 2FA option, meaning I could no longer access anything work related as soon as I step out of my office building. Sounds like a dream right, and a good excuse to fall back on.
Come Monday, I find out that I need to use the 2FA app to access our payroll software to fill out my timesheet, even when I am inside the office sitting at my desk. Luckily, I filled out my previous weeks timesheet on Friday. So next Monday, as far as I'm aware, I will not be able to fill out my timesheet to get paid.
My situation: I will admit I am stubborn about buying new electronics, my phone is a Samsung S8 that I bought in 2017 when it was brand new. I currently see no benefits of anything the new phones have to offer but the day my phone decides to die, I will gladly walk into a store and buy a brand new android phone. My work does not provide cell phones and has refused my request to compensate me for my work related phone usage. I have been very vocal to my manager and bosses that they cannot force me to buy a new phone just to continue doing my job efficiently, and now it seems doing my job at all. The responses I have recieved were very indirect and not at all helpful to my situation. Really, I just want them to give me an ultimatum or some other option. I am not willing to lose my job over this but I dont want to give in and buy a new phone just so I can click OK on an 2FA app.
So Lemmy, how should I approach this ticking time bomb?
If there is a technical requirement for you to do the job as an employee (not a contractor), the employer is expected to provide the necessary tools for you to accomplish the tasks they require from you.
With that said, which 2FA methods are available? Is it a proprietary app or you can enroll a TOTP (ie: the QR code)? Are they support hardware tokens (WebAuthn, FIDO2, Passkeys? If they do, they could simply provide you something like a Security Key, which is quite affordable and does thenjob quite well
Must be proprietary, bc TOTP shouldn't be blocked by age of the device
Companies have policies that phones must be receiving security updates.
That might just be the default though, they had sms until this change, so TOTP may still be on the table.
They could be requiring phishing-resistant MFA, which OTP is not
Likely this. If they need to be FIDO2 compliant, then OTP and TOTP will be blocked. Personally, I would demand a company-provided phone for work.
My company is very good at giving me and my coworkers the best available, my workstation plus my laptop are probably around $5000. That is why it is so hard for me to believe they will not reimburse me for a new phone, I have feeling they do not want to set that precedent.
I currently use a 3rd party app called DUO, previously there were several options for 2FA, txt, call, email, and push notification. Now the only options are push notification (will not work on my phone) and administrator backup code. The IT guy had mentioned the security key option, but he said they would not work on most of our desktops because they are all custom built PC's, not sure of the specifics on that one though, I might bring that up to him again. I keep saying a good invention would be a little Wifi pager device that's sole purpose is 2FA.
That device you mention exists, and it works with most computers that have Bluetooth (I can't think of an example where it hasn't).
You should be able to use a device that'll show up if you search "Bluetooth fido2 u2f". Your administrator may need to enable webauthn security keys in the admin panel for Duo.
Many of the devices also support a USB mode, so if you can plug in or it has Bluetooth it's compatible.
https://thetis.io/products/thetis-ble-u2f-security-key https://shop.ftsafe.us/collections/fido2/bluetooth
Aside from this being a totally solvable problem without you getting a new phone, and with very reasonable steps and affordably: you should really get a new phone.
Feature wise the phone might not have anything you need, but your current phone has stopped receiving security updates, which is an issue. In general you should have a phone that is still receiving timely security updates.
Having an unsupported phone is like having a front door with a lock that's possibly broken. It "works" in that it covers the hole in your house, and it might stop someone who wants to walk in, and the likelihood that someone tries is probably low, but there's a good chance that if someone did try, they would find it hilariously easy.
It's reasonable for your employer to only allow authentication from a secure device, which unfortunately yours is not.
Reasonable to allow only secure devices for work: Yes
Reasonable to expect the employee to provide such a device: No
Work should only be done on company hardware (including auth). Especially if they're going to be that concerned about security.
Personally, if it were standard TOTP I'd be happy to add that to my Authy. But if whatever system they want required me to get a new phone? Nah fuck that. But me a work phone.
Eh, it's mixed. People in the US are pretty varied about how they feel about using their own devices. Some people feel the way you do and others feel it's annoying to have to carry an extra phone.
It's one of the reasons android phones have the work profile feature to allow the segregation of work apps and data from personal. Even let's you have management software on the work profile so the employer can do remote wipe and all management without impacting the users personal data.
Most people have phones that get regular security updates, so they don't have any issues.
It's an area where there's little consensus about the best approach, even amongst the largest or most well orchestrated companies.
It's why they definitely should have enabled webauthn authenticators and been okay with reimbursing or providing one.
I mean, lack of consensus notwithstanding, the logic tree should be pretty simple;
Employer demands secure device
Employee has one personally and is willing to use it for work
Employer allows use of personal device
Employer isn't comfortable with BYOD, provides a device
Employee accepts the new device
Employee doesn't accept the device, can't do their job, is fired
Employee either doesn't have one, or refuses to use their own
Employer provides one
Employer refuses to provide one
Employee realizes the company sucks, quits
Employer gets shitty about it, fires the employee, employee sues and easily wins
updated for more scenarios
I'd be surprised if they didn't work, for FIDO2 all it needs is an OS that can do HID over USB (basically everything) and a browser that can handle it.
The only issue I could see is if they disable the USB port for security reasons.
Any company taking 2FA seriously will either compensate you for the requirements to fulfill that security, or provide you with the devices necessary. I used to work at Duo. I currently work for another company that does more or less the same thing. Your company's security team will do whatever it takes to get you compliant because not doing that is on them and not you.
It's honestly wild for a company to allow an employee to be on the verge of locked out of critical services and not be resolving that on their own. They have the metrics in duo to be able to see that you have no viable device to 2FA with.
Oh they knew my phone was outdated, and so did I based on a direct email to me but I was not made aware of the consequences for non compliance and therefore could not react accordingly. That's why I am in the spot I'm at, willing to fold but still looking for alternate routes.
It's the IT department's job to make sure you have all the hardware you need to do your job. While not being able to track your time is something that affects you more than it affects the company, it's still part of the job.
It is certainly not your job to buy new devices with your own money. Also, I would highly advise your IT department against letting you use a private device that you carry around in your free time and even on vacation as your second factor. Anything that can be used to access your work data should never be with you when you're getting drunk in a bar.
If you're financially stable enough that getting paid a few days late doesn't hurt you too much, I would recommend you ask IT for a new phone (that you will only use for work!) and hand in your time sheets in whatever form is the least convenient for HR until the problem is resolved.
Yeah, malicious compliance is likely the quickest route to getting things resolved on your terms
Agreed. I'm a sysadmin and manage Duo for my org. They should provide you with a device that complies with their policy or make an exception for you. They won't do the latter, so the former is up to them to solve.
Yep!
If they fail to get even 1 employee on 2fa, their insurance against a cyber threat could ultimately deny their claim. Starting to happen a lot.
Ask them to reimburse you the cost of a new phone.
Ask them to give you a yubikey or some other OTP token device.
Talk to your boss and talk to security Tell them your phone is not supported and you would like to get paid. They will have to find a way to work it out.
The fact your phone is so old it doesn't get security updates is a separate matter so I understand their security posture. But they cannot make it impossible to get paid
I told my direct boss today after having several conversations with IT. My boss knew of the situation but is now taking it more seriously because I told him I would not be able to log my hours next week, which came as a surprise to him, he noticed this was the first time he had to use the 2FA to get into the payroll software.
Yes, my phone is old as shit, I cracked the screen 5 years ago and it's surprisingly still waterproof. I have had this phone longer than I have had my job, they have no bearing on what cell phone I use, hell when I was hired in I didn't even use my phone for work other than phone calls. I understand my companies position as well but instead of requiring the employee's personal property to be up to their standards they should offer an alternative method.
Agreed. Depending on their security stance the will just issue you a TOTP fob that you just carry around for the one-time codes.
they need to give you a 2fa device.
From the tech point you can always install lineage and your phone will be "new" in the eyes of the app and company. Or request a yubikey or a similar, that's what my company uses. Security wise company stuff should be done on company hardware. And obviously they should pay for stuff needed to do your job.
If you update your phone it will at least be more secure than an outdated 2020 phone. So that's what I would do if I did not want to change phone and did not care about hardware security.
https://www.xda-developers.com/unofficial-lineageos-17-1-android-10-samsung-galaxy-s8-plus-note-8/ maybe something newer out there on xda forum
My dad had this same issue. He spoke to IT, and they sent him a security key he could use instead. Ended up needing a new phone a few months later anyway though...
Thanks for the advice,
My takeaway is that I should look into a 2FA dongle and offer it up as an alternative. I mentioned in my post that the main IT guy looked into that and said it would not work on most machines, not sure if someone has any insight on that. My company started building custom machines a few years back for the CAD users and everyone ended up getting one eventually. My PC runs windows 11 and is pretty much a gaming computer from 2020, I9 processor, a 2080 super, and some random motherboard. What reason could there be that my computer would not accept one of these dongles?
AFAIK there is zero reason, any standard U2F hardware key like a YubiKey should work.
There are two different, and only slightly related, things here:
The first absolutely can and should depend on the age of your device. MAM or MDM policies combined with Conditional Access should block older devices not receiving security updates from accessing and storing company data.
The second, assuming they are now requiring phishing-resistant MFA, only requires that you have the Microsoft Authenticator app installed (FIDO2 and CBA are alternate PRMFA methods, but more complicated to implement). The MS Authenticator is supported on Android 8.0 and above and your S8 supports Android 9.0.
So unless there is a job requirement to use your phone for email and Teams -- in which case they should definitely offer a stipend or CYOD phone -- you should be fine just installing the MS Authenticator app on your phone and using your work-issue laptop for email and Teams.
Edit: I just saw your other comment that they use Duo. In that case you might be hosed since it requires Android 11.0. I'd at least start by opening a ticket with the help desk and keep an email trail with your manager of what part of your job you can't do. But they should be able to provide a method of authentication that complies with their policies.
Update 1.
Talked to my boss and he said dont worry about my upcoming timesheet because he can fill it out for me but he will not do that indefinitely so a new phone is required. He also told me that I can start using the phone bill stipend, which is 40 bucks a month so that almost covers my bill plus a phone payment plan.
I asked about the Yubikey and he told me that in the next policy change we are going to remove usb access on all of our machines to further comply with security demands, so that would defeat the purpose of the 2FA dongle.
Guess I'm getting a new phone. I looked into the lineageOS route and it seems I would have to factory reset my phone anyway and that is probably my biggest problem with getting a new phone anyway so I won't be attempting that.