A few years ago, we were told we must use two-factor authentication. (I’m sure I had a blog on that but can’t find it). Two factor authentication is much more secure because even if someone has your username and password, then they cannot get in without being able to generate your codes.
The idea of a Desktop-based authenticator is absolute nonsense to me, because if you want to log into a website on a different device, you cannot because your authentication codes are on your main device. Maybe you could install on multiple devices? But even if that is allowed, then isn’t that still increasing the risk? So if you are restricted to only using your computer where the authentication codes are, then if the malicious user has got access to your computer – they also have access to all your authentication codes.
A few years ago, we got a new security expert, and have been increasing security over time. Recently, one of the companies we own was hit by a ransomware attack so security has increased once again.
We were told there would be placing more restrictions on personal use of company devices, and instead, we should buy our own tablet/laptop/computer for internet browsing.
I was really surprised that they are only now advising getting rid of the desktop based authentication, and now say that we all need to install it on our phones. I did that years ago.
“Having a desktop based authenticator is no longer an appropriate feature as unfortunately external threats are becoming extremely more clever and a compromised laptop or workstation would mean the authenticator could be accessed and that would lead to credential compromise and extremely damaging to our organisation hence the authenticator is no longer deemed safe on the same device.”
They also stated that authenticator apps are “required everywhere”.
One employee launched into an absolute tirade about it. He did make some good points about how necessary equipment should be provided and managed by the employer.
The Tirade
I have to disagree that authenticator apps are used everywhere. I only need it for work. My bank uses my biometrics for authentication, it is the same for my bitwarden (password vault), health app interactions and credit card companies. I feel you are trying to use grammar to try and mitigate the fact that this is an app I only need for work vs a "work app". The reality for me is this is an app I need only for work purposes, and whether I call it a work app or an app I need for work, it is the same thing.
It seems hypocritical that at a time when we are being told that no personal use can be made of work laptops and that we should use the new benefit introduced to buy a personal laptop, that the organisation is forcing us to install applications for work onto our personal phones. My wife is the Pro vice-chancellor at a university that was hit (last year) with a cyber attack and they are still recovering from that incident now. The impact has been devastating. They use MFA for access to all their systems and the university has provided devices to all staff to ensure that they can continue to access the systems they need to without the need to purchase personal equipment for work or use personal devices to enable them to work, because they understand that securing their systems requires investment.
The reality for me is I already have a number of work apps on my personal mobile phone... whatsapp for Business Continuity purposes, webexpenses to be able to claim expenses and now Authy. It is becoming increasingly difficult to have a clear distinction between work and personal life. I can totally understand why some people may be unhappy with this continued blurring of the lines on mental health grounds, but there are also those who have reverted back to unsmart phones - I considered this at one point when I decided the toxic nature of social media platforms was extremely unhealthy. In the end I just removed all those apps from my phone because I decided the value the other applications was worth sticking with a smartphone. If you don't own a smartphone are you now expected to buy one to do the job? If we lose our smartphone, do we need to inform IT that our work authenticator has been lost and therefore potentially compromised? There needs to be a clear policy on expectations above and beyond the "just do it" messaging so far.
There have also, unsurprisingly, been a number of cases taken to court in recent years for people unwilling to install applications on personal phones that are required to perform work functions. Most cases have ruled in favour of the employee with advice given such as:"[...]Secondly, employers facing resistance from employees about the use of technology should explore whether any other solutions are available. In this case, the issue may have been swiftly resolved by providing a work phone or installing the app on a laptop. Had the Claimant continued to refuse to use the app in those circumstances, it is likely that the employer could have fairly dismissed for misconduct, subject to following a fair procedure.[...]"So are there alternatives available? I know we have a huge number of work mobile phones that are unused - couldn't these be provided to those wanting that work/life separation protected? They wouldn't need a SIM as the app will work over WiFI, so the cost is minimal.
Closing Thoughts
Personally, it’s not a big deal for me because I do use an authenticator app for everything that supports it, and I only have maybe 4 codes for work-related websites. I think it would be more inconvenient to have a separate device, and if I did, I would end up leaving it next to my laptop. So if the laptop was stolen from my house (where I work), then they would steal the phone next to it too; therefore it is like the Desktop-based authentication scenario. Although if the phone has password/biometrics to access, then it will be secure. If I only have 1 phone, then the phone will leave the house with me, having the benefit of security and not being as much of a pain to replace.
Stranger Coding Tings 