210
submitted 5 months ago by Martin@lemmy.ml to c/asklemmy@lemmy.ml

So my company decided to migrate office suite and email etc to Microsoft365. Whatever. But for 2FA login they decided to disable the option to choose "any authenticator" and force Microsoft Authenticator on the (private) phones of both employees and volunteers. Is there any valid reason why they would do this, like it's demonstrably safer? Or is this a battle I can pick to shield myself a little from MS?

you are viewing a single comment's thread
view the rest of the comments
[-] ziby0405@lemmy.ml 22 points 5 months ago

≥ and force Microsoft Authenticator on the (private) phones of both employees and volunteers.

Refuse to use the service until they provide you with a work appointed phone. Volunteers admitedly have a more difficult time with that but as someone else said you can indeed do text/call options.

[-] smileyhead@discuss.tchncs.de 6 points 5 months ago

a work appointed phone

With all the tracking that comes with it.

[-] ShellMonkey@lemmy.socdojo.com 4 points 5 months ago

Not much of a privacy risk if it where used for a dedicated purpose and just left off in a drawer otherwise though. My employers pushed the notion of MS authenticator, but left the options to use regular TOTP available, just had to look a bit to find them. Even if they absolutely forced corp software though, a cheap wifi-only setup device is a viable option.

[-] ElderWendigo@sh.itjust.works 4 points 5 months ago

Who cares? It's a work phone that is used only for work, they are entitled and expected to track it as much as my work laptop or any other company equipment. That's not a privacy issue unless you're using company resources for personal stuff. If I don't want them tracking me I just turn it off or leave it at home.

[-] smileyhead@discuss.tchncs.de 1 points 5 months ago* (last edited 5 months ago)

They might expect you to be available via the phone 24/7 and carry such sensor packed device anywhere.

[-] BorgDrone@lemmy.one 6 points 5 months ago

I’ll be available 24/7 when they pay me 24/7.

[-] rekabis@lemmy.ca 1 points 5 months ago

This is the way.

[-] Saik0Shinigami@lemmy.saik0.com 1 points 5 months ago

The point is that the phone will be tracking 24/7 regardless of your actual availability.

[-] rekabis@lemmy.ca 1 points 5 months ago* (last edited 5 months ago)

The point is that the phone will be tracking 24/7 regardless of your actual availability.

A faraday cage on your work desk can take care of that during off hours, especially since most batteries have become non-removable and phones don’t truly shut down anymore. Just put your work phone into the cage when your shift ends, take it back out when your next shift starts. Easy peasy!

And if they demand 24/7 access, they will need to provide 24/7 pay.

[-] Saik0Shinigami@lemmy.saik0.com 1 points 5 months ago

Not sure I understand what the faraday cage would accomplish. It's the companies device. You'd be skipping this presumption outlined earlier in the thread

they are entitled and expected to track it as much as my work laptop or any other company equipment.

Leaving the work phone at work is a valid answer to me. Assuming that doesn't actually come with any other downsides (working offsite and having to return to the office on unpaid time just to drop off the phone for example).

[-] ElderWendigo@sh.itjust.works 0 points 5 months ago

And my point was that a separate corporate device makes it trivial to manage my privacy and availability. Using my personal phone for work is a hard NO.

[-] Saik0Shinigami@lemmy.saik0.com -1 points 5 months ago

Your point is illogical.

You stated

they are entitled and expected to track it

Just to turn around and back-peddle

If I don’t want them tracking me I just turn it off

Are they entitled to it or not? If they're entitled, then why do you have a right to cut it off? I'd argue they have no right to it to track me off hours at all... regardless of the device used. u2f tokens like yubikey would be just as sufficient for 2fa with none of the tracking.

[-] ElderWendigo@sh.itjust.works 1 points 5 months ago

You're so eager to argue that you didn't actually comprehend what I said.

[-] Saik0Shinigami@lemmy.saik0.com 0 points 5 months ago

Or I brought up a point that you didn't consider, and rather than addressing it you need to resort to low level ad hominem. You contradicted yourself. Either explain the contradiction or move on. There's no point in this comment unless you're attempting to discredit me without reason which just makes you look bad.

[-] ElderWendigo@sh.itjust.works 0 points 5 months ago
[-] Saik0Shinigami@lemmy.saik0.com 1 points 5 months ago* (last edited 5 months ago)

What a great addition to the conversation. Congratulations! You've still addressed nothing!

[-] hummingbird@lemmy.world 2 points 5 months ago

Agreed. From a privacy perspective, it is a lot safer to run the app in an environment where you have admin control. E.g. disable when not in use, block access to sensitive device information, limit background and network activity as much as possible.

[-] ziby0405@lemmy.ml 2 points 5 months ago

yes? use it solely for work purposes, at work, turn it off when you clock out...

your employer is not your friend.

[-] Jayb151@lemmy.world 2 points 5 months ago

I work for a global company and help manage MFA for everyone...I use Google's authenticator on my personal phone as they didn't give me a work phone.

I still don't understand why a hardware token isn't being used. It's such a low cost option when compared to buying a phone and plan for a user.

[-] AtariDump@lemmy.world 2 points 5 months ago

Because you can’t call someone on a hardware token.

[-] Jayb151@lemmy.world 1 points 5 months ago

But not everyone needs to have a work phone, some just need to authenticate

[-] AtariDump@lemmy.world 1 points 5 months ago* (last edited 5 months ago)

Then buy them an iPod touch.

this post was submitted on 30 May 2024
210 points (94.1% liked)

Asklemmy

43750 readers
1250 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS