MFA is not that complicated..
Posted by Ethan_231@reddit | talesfromtechsupport | View on Reddit | 253 comments
So, the past few weeks, the MSP I work for has been rolling out MFA to our clients. One of them is a small-town water plant. This user calls me up and asks for help with setting up MFA. I connect to their machine and guide them to the spot where they need to scan the QR code on their app. (User said they had ms Auth already installed)
User: “It says no link found.”
Me: “What did you scan it with?”
User: “My camera app.”
Me: “You have to scan it with Microsoft Authenticator.”
User: “What’s that?”
Me: “The multi-factor app you said you already had.”
User: “Oh, I don’t know what that is.”
I send them the download link and wait five minutes for them to download it. We link it to their app.
User: “Okay, so now I just delete it, right?”
Me: “No, you need to keep it.”
User already deleted it before I answered.
Me: internal screams....
Maxfire2008@reddit
What is wrong with the user? Did a previous tech get them to delete it then reinstall an app? Surely one couldn't be so stupid as to delete it immediately.
RandomBritishGuy@reddit
Some people (often those with iPhones) really struggle with space in their phones. I had a user have to delete some videos and a couple of apps to install the authenticator app when we rolled out MFA, because they had no storage left.
LVDave@reddit
I recall that problem back in the VERY early days of Android phones, where you only had 32Gb of storage, and EVERY damn store/company had an app they wanted you to install. Not a big problem anymore, as most phones now have 128Gb+ storage. I see some of the "flagship" phones now have 512Gb.. Geez..
PiotrDz@reddit
This is awful. He had to uninstall lersonal files to have company app on his phone? Are you really so broke to demand it from your workers? In EU this would not fly
RandomBritishGuy@reddit
They did this before I knew, I wouldn't have asked them to.
And they only removed what they had backed up in other cloud services, and didn't need backed up to iCloud as well.
Joan0116@reddit
One trick I found is that if they set up the microsoft MFA app at least once, then add their phone number as well as another auth method, they can delete the app, just use the phone number option instead when they log in and they will not get prompted to set up the app again
felix1429@reddit
Never underestimate how stupid end users can be. Especially people who think they know what they're doing but absolutely do not, lol.
Ejigantor@reddit
The user thought this was a "one time thing" where they needed to install an app to do it, and once it was done they could delete the app and never worry about it again.
LokyarBrightmane@reddit
They're in the system now. Next time they need to get in they can just get a new one time code from it support, just like this time.
duckvimes_@reddit
Well it's called a one-time password, so... duh...
Ethan_231@reddit (OP)
Absolutely no idea...
felix1429@reddit
MFA may not be complicated for you or I, OP, but if your MSP is just rolling MFA out, you're going to find out soon that many, many end users disagree. And walking people through setting up Authenticator can be....fun. Wait until you start getting people complaining about having to use their personal devices for work just because they need to set up MFA, you'll be in for a treat!
tinySparkOf_Chaos@reddit
I'm fine with an Authenticator app on my personal phone.
Up until management says I'm now required to install their junk wear MDM, because my device now is now being used for work.
Worse yet if they bundle the MDM and the authenticator into the same app.
HadesGamingPL@reddit
MS Authenticator doesn't bundle an MDM - what app are they trying to get you to use?
tinySparkOf_Chaos@reddit
It's more of a:
They haven't bundled an authenticator and MDM yet. (But I'm worried they might try and find one).
LVDave@reddit
Ohhh.. THAT would be a dealbreaker for me.. I have ZERO problem with an authenticator, as I already use the google one for my personal systems. BUT if I landed a job with a requirement that because they require authentication, they ALSO require an MDM on MY phone??? Uh NO, Not happening.. If an MDM is required, they will issue a company phone OR let the next guy take this contract.. I don't really NEED the $$$, just want to keep busy..
HadesGamingPL@reddit
Ahh, I see - my organization doesn't require an MDM for Authenticator because of this exact scenario. I still get a LOT of people saying "but I'd like to keep my work and private life separate :)".
I tend to tell them they can either chance it and try to get a work phone approved (which they would be expected to bring to work every day and keep charged and not lose) or they can deal with the app. Usually they just install Authenticator with a little grumbling.
dustojnikhummer@reddit
It is a fully valid argument.
felix1429@reddit
How does having MFA for work accounts on your phone prevent separation of your work and private life?
dustojnikhummer@reddit
What if I decide to root my phone and Duo just refuses to work?
felix1429@reddit
That sounds like a personal problem, tbh. Do you like having a phone that can't run extremely basic apps?
PiotrDz@reddit
So this is why user above was concerned with separation between personal and work life. Work is now preventing an action on his personal device.
dustojnikhummer@reddit
That is my choice.
I can't do what I want with my hardware.
RelativisticTowel@reddit
What if I drop my phone in the toilet? Lose it? Forget to charge it? My crazy ex steals it and holds it hostage? I install spyware on it and it steals the keys? I do not want my ability to do my job to be tied to a device that I carry everywhere.
Fortunately I live in a place where by law my employer must provide me with any tools required, because I have 2FA for all my personal stuff, but there's no way I'd ever install it for work.
dustojnikhummer@reddit
Is that mandatory or can you decide to put work 2FA on your personal phone? I don't mind people having it on their personal phone, as long as there was a choice. No "use it or you are fired"
RelativisticTowel@reddit
Legally the company could offer me the choice. I struggle to imagine that though. I work in the semiconductor industry, our IT is borderline paranoid about data security for good reasons. People with access to very sensitive data have mandatory 2FA on a hardware key (the kind you must plug in, no numerical codes). There's areas where you're not even allowed to bring personal devices. Never know who's watching/listening...
(it's China, and they would absolutely love to get their hands on semiconductor data)
dustojnikhummer@reddit
Yeah, in some industries total data islands make a lot of sense
abscissa081@reddit
MS Authenticator can register your device with Microsoft. This allows me to make a backend policy that only allows sign in from known devices. But it’s no MDM at that point.
LVDave@reddit
I already use the Google MFA app to secure my home vpn and several webservers I maintain for some local organizations. I landed a contract for a short term support job and they required either the MS or Google MFA apps and it was trivial to add their system to my app..
felix1429@reddit
MDM enrollment and MFA apps are world apart - I completely understand people not wanting to have their employer have access to their personal phone, but MFA alone doesn't do anything close to that.
tinySparkOf_Chaos@reddit
I'm fine with MFA on my personal device. MDM not so much.
The issue is if management says that the MFA counts as a "business use" of the personal device
And then tried to apply it's "all personal devices used for any work use require an MDM)" rule.
felix1429@reddit
I think that's a completely valid distinction.
Finn-windu@reddit
Our solution to the complaints about using personal devices for work is telling them they can carry around a rsa key with an ever changing number on it. So far the only people who have taken us up on it are those with really old phones where it legitimately is easier to use the key; most people don't feel like carrying an extra item on their keyring.
abscissa081@reddit
The decision makers have decided that it is a condition of your employment here, please speak to your supervisor. Not my job to convince Clicky Becky at the front desk to secure her account.
sandmyth@reddit
sorry. my phone is bootloader unlocked and rooted. your MFA app refuses to run.
QwertyChouskie@reddit
Aegis works fine for me, even has its own optional app password.
felix1429@reddit
Even more reason to have MFA on your work accounts...
Do you use MFA at all? Or are you just rawdogging it?
sandmyth@reddit
managed to get a yubi key ordered for me
felix1429@reddit
Cool, convenient that everything you use at work is compatible with a Yubikey. I have a couple for work but not all of the software we use is compatible, and my employer has MFA turned on for everything that supports it, and a solid ~third of what we use doesn't support Yubikeys as an authentication method.
sandmyth@reddit
It was all setup previously to use a rolling 6 digit code (although i don't think time based). The Yubi Key 5 allows you to setup OTPs. couldn't tell you how they work, but it's the fallback for all our applications.
abscissa081@reddit
I mean that's fine. Whenever we roll out MFA to a customer, we just hand over the list of refusals at the end and figure out what to do. We'll offer suggestions but we don't make the decision. Not my company, not my problem to decide, not my app, not my phone.
bgatesIT@reddit
not my monkeys, not my circus
flowingice@reddit
I'll take unemployment benefits due to changes in job requirements.
abscissa081@reddit
I’m curious to know if this has actually gone down. I don’t know enough about employment law or unemployment to know if that would actually fly.
flowingice@reddit
It hasn't but I'm from EU so it would be much easier to exempt someone from 2FA or provide them with business cellphone or hardware token. It would be very hard to fire someone for not using private cellphone and when you do they still need to work 2 weeks to 3 months depending on how long they've been employed or you can pay them out for that period. After that they also get unemployment benefits if they fill government requirements.
I was always allowed to use my phone without MDM and import OTP key into andOTP instead of Authenticator or whatever it's called. If you're from USA you need to understand that we have rights and don't allow companies to do whatever they want.
now_you_see@reddit
I’m surprised. I’d much prefer an RSA key to using my personal phone.
Finn-windu@reddit
Same. My feeling from talking to them/their complaints though, isn't actually that they had an issue with the mfa app. They were more gunning for getting reimbursed for personal phone use, or trying to angle for a company phone. When they realized neither of those was happening, they didn't care enough to continue.
maroongrad@reddit
If it's that important, the company can get me a phone. I put my phone on Do Not Disturb, put it in my bag, my bag in my desk, and leave it there until the end of the day. You want me to get it out, turn it on, respond to the app, do any and all other crap, and then go back through storing it? Once or twice a month sure. But every time I take it out and use it that's adding more wear and tear to a device I barely touch. They want to get me an otter box and reimburse me 100% for the phone if it gets dropped or damaged while taking it in and out multiple times a day? Plus reimburse me for time spent shopping for and setting up a new phone at my usual hourly rate plus overtime if I'm not at work? Don't forget driving to get the new phone in the first place.
Some of us do not view phones as breathing devices. They're for occasionally finding directions every few months, calling the spouse to let them know I'm picking up the kid/dropping them off/she's sick, and setting up drs appts during break at work. Oh, and when waiting somewhere I'll occasionally play a color-by-number game. Otherwise, I have a laptop. The phone I literally ONLY have because I had to buy one several years ago for a training program, and I only got rid of THAT phone because they got rid of 3G. I got a 5G so hopefully I won't have to deal with all the new-phone crap for years more.
If you want me to install apps and crap on MY PERSONAL PHONE that is 100% a no go. I also won't use my personal vehicle to run company documents places or to take visitors from building to building. If it's that important, the company can buy me a phone that's just for company use and they can install any POS they want on it. My phone is for personal use and damn little of that. I'm fine with MFA that involves answer questions, even logging in on a different email account on the same computer. Make me haul around my personal devices JUST to authenticate??? Hell no. Most days I have a vague idea of where my phone is. Either in the bag, in the car, or on the charger, and I'll have to go look for it if I need it for something. I'm not exactly like to even HAVE it at work. It's not relate to work, it's not relevant to work, it's not needed for work, and I don't use it at work. Want that to change? Buy me a pretty much disposable phone that I'll keep in my desk at work and not worry about dropping, draining the battery on, not usually even having it with me, etc. If my job SAYS I am absolutely required to use my personal electronic devices for work and I have signed a contract agreeing to it, sure. Otherwise? No. You can't use my car, my microwave, my TV, or anything else either.
Finn-windu@reddit
Wow, that's a long rant when i already said people would have the option for an rsa token if they didn't want to use their phone.
maroongrad@reddit
The general gist of the other posts is that OF COURSE you should use your own personal device.
I've actually used one of the devices with the code that updates every ten minutes or so. Had no issue with it and would take one again no problem. But the posters thinking it's no big deal to have someone install an unwanted app, required for work, with no say it in, on their personal phone because it's easy to do?
Sorry, not happening with most people in my generation or really a lot of people in general outside of high-tech jobs. If you want to put an app on our phones that we didn't request and didn't do our due diligence on...no, not unless we trust our bosses implicitly and that no one else will ever be hired on in place of them. Why? Well, at my job, we were told we should use our business email on our phones, but we needed to install an app.
Too bad so sad, we researched the app and it gives the tech guys the ability to see anything on our phones and delete it. They were super confused why literally NO ONE let them put the app on our phones.
Hopeful_Extreme4084@reddit
poor fucking baby.
how do you use netflix or any online service in your real life? They all require MFA at this point.
You know why we need MFA? Because your too lazy to type your password in every time you log in and tell the app to remember you.
dustojnikhummer@reddit
But that is their choice.
WalmartGreder@reddit
We have a company approved password manager that will scan a QR key and automatically supply the code when asked, as long as you're signed in to the manager. This has saved me A LOT of time.
jgiacobbe@reddit
Me too
Kyla_3049@reddit
Why not roll that out to everyone? I'm about to get an S24 FE (not even released yet!) and I would prefer that.
Finn-windu@reddit
I'm not the one that makes the decision, but my guess would be one of four things:
The first is that it's more money (I'm assuming), the second is that people would lose their tokens and need new ones more often than they'd get new phones, the third is that we'd need more inventory management because of 2, and the fourth is that it's slightly less secure since it'd be easier for someone to swipe a token (or see it left at a desk), then swipe a phone and also unlock it to get to the app.
Rathmun@reddit
Pretty sure everyone I know personally has replaced their phone more than once since the last time they replaced their house key. Yubikey oh-so-nicely fits on the same keyring no problem, and it's so easy to explain to users.
"This is your key. It's like they key to your front door or your car, but it's for your work computer. Just stick it in the slot."
sandmyth@reddit
I picked a yubikey key over putting company stuff on my personal phone.
abscissa081@reddit
I mean anyone with half a brain should have mfa in their personal life. If people don’t want MS auth, usually they have Google or something already, and they’re okay with doing the normal rotating code.
My fave is when people already check their company email on their phones but don’t want to do MFA.
techforallseasons@reddit
I have MFA everywhere possible for personal accounts; I just want as little work-related data as possible on my personal device. So Yubikey and standalone TOTP is fine with me.
Frekavichk@reddit
I mean the Microsoft mfa is not company stuff, tbf.
twopointsisatrend@reddit
They use their personal device to call in sick. Should their employer provide a device to all employees for that use? smh
felix1429@reddit
I don't know why you're being downvoted when you make a valid point. It's not realistic to expect every company to provide company devices (phones especially) just for MFA. Sure, things like Yuibikeys exist, but those aren't cheap and can be lost.
I get not wanting to mix work and personal stuff, but MFA is not intrusive at all, it's not like being required to enroll in MDM or something like that.
twopointsisatrend@reddit
I'm guessing that they missed the sarcasm in my post. Guess I should have used the/s
felix1429@reddit
Apparently your extremely subtle joke went over peoples' heads, so may not have hurt.
WrappedStrings@reddit
I personally opt to do this. I have a modern phone, granted it's not a great one. But in general I prefer purpose built devices. They function better and are less bloaty. And it's not a huge problem for me to enter 6 numbers whenever I log in
Ejigantor@reddit
100% this. There can be a lot of selection bias with support workers because we work in offices on computers all day, and most of the people we interact with outside of end-users are in a similar situation, so we can tend to forget that lots of people DON'T.
I got really good at efficiently conveying what MFA is and why we use it when my company rolled it out, because it addresses a problem most people aren't aware of and don't think about in their day-to-day lives.
It's always good to keep in mind that we do this stuff for a living, and so are constantly immersed in it, but a lot of end users don't.
Saya-_@reddit
On the other hand, when your job involves working with/on a computer at least 50% of the time you should be able to follow basic instructions (which I assume was handed out/sent via mail) and have basic computer knowledge.
You don't get a job as a truck driver without having the appropriate license - same should apply here.
I don't expect people to troubleshoot every issue they have, but installing an app *shouldn't* be much of a problem.
I know reality is different though sadly
Entarotupac@reddit
In theory yes, in practice, **** no. I was the de facto tech guy in a university English department where I taught English, despite having an actual tech guy and six other tech guys in the department's dedicated tech support center. I was a one-eyed man in the land of the blind and spoke the language of the humanities (humanitese?), so I--absent spine and all--was a safer choice to bother about piddly tech stuff. These folks had to do everything through an LMS and grade papers on screens and they hated every second of it. It wasn't ignorance, they actively fled from anything more modern than the cotton gin. When they rolled out MFA, my colleagues lost their damn minds. They gave us a six-month lead on the rollout to students and by golly ~~we~~ they needed it--to install an app.
reddit_username_yo@reddit
To be fair to your colleagues, I'm in tech and I hate every second of interacting with the LMS (while I use GlowingArea, I hear the other common ones are worse, if that's even possible). Buggy, slow, broken security model, UX designed by Satan - I have my classes do as much as possible through github instead.
Thulak@reddit
I had new trainees for our IT department. I had to explain what a webbrowser was. Those kids couldnt navigate basic windows functions because they are too used to touchscreen devices. There are positions where I can understand that, but upcomming Sysadmins and Security specialists?
Ejigantor@reddit
I suspect this isn't as many jobs (as a proportion) as you might think.
The majority of the end-users at my company use computers maybe 15% of the time, and 99% of that use is entering documentation in pre-made forms.
The overwhelming majority of workers at my employer don't even have company provided email accounts.
Saya-_@reddit
That's a very different story then, absolutely!
I was commenting from my own experience, where a majority use their computers either 50 - 80%+ of the time vs a few that do so like once a week. - Definitely completely different userbase you have then.
And we still have users I had to explain how you do Microsoft MFA via phone call 3 days in a row
djshiva@reddit
I have to help people set up MS Authenticator daily, multiple times a day. I have become a pro at it. But it's still shocking the issues people have even with me holding their hand.
"What do you mean 'scan the QR code?" Point the camera that just opened at your computer screen until the weird looking square is in the frame.
Loading_M_@reddit
In that environment, a good MFA design would likely wind up looking different. I would push for something like a badge + pin as the two factors, since it A) speeds up the login process (which they likely have to do very often), and B) is easier to manage with shared computers and so forth.
SheepherderAware4766@reddit
I'd have agreed if I hadn't replaced my grandmother's teletype and dialup service when the company stopped making replacement tonner cartridges. She still complains that it was faster and easier to use.
For those that don't know, a teletype is a typewriter hooked up to a fax machine. It could type locally or send & receive faxes. At one point, this machine was the work-from-home interface for a building sized database.
lili_dee@reddit
I got told this week that users might need help with logging out of an ERP. In my opinion, if you don't know that, you shouldn't have access to the program in the first place, right?
Saya-_@reddit
Had to onboard a user the other day who was gonna work in our warehouse, which is about 50% manual work, 30% SAP and 20% other stuff on a computer.
Didn't even know "shift" made it possible to type capital letters. Never even used a computer, keyboard or mouse before in their life.
lili_dee@reddit
I don't know if that is more sad or more scary.
RcNorth@reddit
I think it is sad.
They have been able to make it this far with never the need to use a computer and now they have to.
What big event in their life required them to have to start a new job that requires a computer? Were they let go from their previous job and can’t afford to retire yet?
Reztroz@reddit
Good chance they’re younger.
Why would they need a computer when they have a smart phone, tablet, and game console?
As such they wouldn’t really ever use one, so wouldn’t know how to.
cephalopodcat@reddit
This honestly makes my head hurt. It makes a terrible amount of sense that 'kids these days' are coming in with little to no knowledge of troubleshooting or computer skills, because all their devices just work. Why know how to do X when your iPad will do it for you? Who needs to know how to spell with a spell check and autocorrect, what use is grammar with grammarly installed, etc.
bhambrewer@reddit
People are coming into the workplace having only ever used smart devices instead of laptops or desktops.
shiftingtech@reddit
My smart devices all have shift keys too though. I'm not sure that's even an excuse for that particular story
gman4757@reddit
Right, but it doesn't say shift, they're just up arrows
jonas_ost@reddit
At my job its not even office workers. Try and teach a 60 year old carpenter how to do all their admin stuff in a phone
thgreatn@reddit
When helping ppl in similar situations (usually older, little computer experience, zero software experience other than MS word) and I sense their frustration level rising, I tell them that, "everybody hates their phone. I am not exaggerating or being funny. Go ahead and ask other ppl you know. Everybody hates their phone, but hardly anyone wants to stop using them. I personally have stood 10 ft from a brick wall and thrown my phone at it." This statement from me seems to help them accept a much higher level frustration during their process of learning how to do various tasks on their "smart" devices.
derKestrel@reddit
I said I cannot install the MFA app on my phone to IT at work. They told me to come in and bring my phone, they will install it for me no problem.
The face of IT at my workplace when I gave them my LG A340.
I got a phone from work now.
matthewt@reddit
"A340 features a Senior Mode for enhanced phone audio."
lolololololololol
RaindropBebop@reddit
Hit 'um with the good old ATM analogy.
markhewitt1978@reddit
The 30 seconds to use the code gets a lot of people too. For some reading the code, remembering the code, then switching to the computer and then inputting the code, takes way more than 30 seconds.
nerdguy1138@reddit
Who's memory is that bad?
Ejigantor@reddit
When it's two separate devices - computer and phone - it's not actually an issue; the user can look at both at the same time.
Trouble comes when someone is trying to log in to view their timecard / paystub on their phone, so they have to switch between apps in a hurry - and it's staggering how many iPhone users don't understand "swipe up from the bottom of the screen to open the app-switcher" or else lack the dexterity to do so quickly.
More than once I've instructed users"Ok, wait until the number changes, and switch back to your browser as soon as you've gotten the new one"
--It was honestly much easier before they got rid of the HOME button
OrthosDeli@reddit
I still (semi jokingly) say that getting rid of the home button is Apple's greatest mistake.
Frowdo@reddit
I've had to escalate tickets to onsite support because touch and hold but don't touch it that hard or that long just could not translate over the phone.
To be fair my own phone if I ever use it as an actual phone gets oil on the screen and face id stops working.
nerdguy1138@reddit
Oh yeah. Switching apps is still somehow slow.
Overall-Tailor8949@reddit
What was that?
SFHalfling@reddit
You can usually use the codes for 60 seconds, most implementations accept the code before and after the current one to allow for clock drift.
Crizznik@reddit
God people can be so fuckin paranoid. And then they're the exact kind of people who update play-by-plays of their daily lives on Facebook. Like, bro, there isn't a single thing anyone can do to your phone to learn more about you than what you already voluntarily post on the internet. At least the ones that are mostly off-grid, no social media, etc. are somewhat respectable with their desire to keep everything off their phones.
PiotrDz@reddit
Still, in EU this is their right. And you should be ashamed for bashing workers because they execute their rights. 1 pay of CEO can provide work phones for whole departments. Turn around and stick it to him. But hey, it is easier to be angry at average Joe because he can not retaliate at you right?
Crizznik@reddit
It's also your right to stick a crowbar up your own ass. Doesn't mean you should execute that right. Unless you're into that sort of thing.
PiotrDz@reddit
Why don't you stick it to the CEO that can buy needed devices with his one-month pay? Isn't it easier to shit on people that cannot retaliate ? Yea average worker is so spoiled that sticking to one of his rights is worth your attitude. If you don't see then I would not like to work at your company ever.
Crizznik@reddit
If it weren't for the fact that 99.999% of people have cell phones, and that using an MFA app is way more convenient than using a hard token, which is the only other alternative, no, I reject the idea that a company would need to pay for a phone for an MFA app. For more integrated stuff, I'm right there with you. A person shouldn't be forced to install an MDM on their personal phone just so they are able to check their emails on the go. The company should pay for that. But MFA apps are non-invasive, free, tiny, and super convenient. There is absolutely no reason anyone should be worried or against getting an MFA app on their phone. And if they legit don't have a phone, then a hard token should be provided.
PiotrDz@reddit
Mfa app is also invasive. You cannot root your phone. You cannot just throw your phone through the window - you have to transfer keys first.
Crizznik@reddit
I mean, you can do those things, you're just going to have to reset the MFA, which some companies make that very difficult, others make it very easy. And you absolutely can root your phone, just do so before you install the app.
felix1429@reddit
You're getting downvoted, but you really aren't wrong.
RickAdtley@reddit
I mean, they should for sure take that up with their boss. They should be given a work phone for that. But it's not IT's fault!
felix1429@reddit
Is a work phone exclusively for MFA not overkill?
PiotrDz@reddit
Why do you fight for companies? Flor-level workes are usulually underpaid, and now company wants to cut a buck by riding on their personal devices. 1 month-worth salary of higher exec could pay probably for equipping whole department with personal phones. Stick it to them instead of general employees.
RickAdtley@reddit
Shouldn't matter.
Making employees use their own devices to run your software is shitty employer behavior at best. It also likely runs afoul of various regulations, local laws, standards & practices, etc.
If it's a hospital, you could run afoul of HIPPA. If your company sells to the US government, you could run afoul of the NSA.
Dude, the potential liability alone just isn't worth the small amount of money saved by making employees use their own devices. If anything, I would question why this is where the employer chose to be stingy.
Unless it's, like, a 3-employee small business or something.
felix1429@reddit
An MFA app like Microsoft Authenticator, Duo, Okta, Google Authenticator, etc. is not an employer making employees run their software. It's asking them to use a third-party app that gives them an OTP to use as an MFA factor.
Obviously industries like healthcare and government contractors are going to be different, those industries will usually issue company devices for the reasons you outlined.
Technically, with basically any MDM suite you can revoke access to anything on any work or personal device that's enrolled, but that's completely different than standalone MFA apps. Corporations with a need to prioritize security will issue company devices including phones, and they do, but many run-of-the-mill companies (especially smaller businesses) just use third-party MFA apps like the ones I mentioned at the beginning of my comment.
RickAdtley@reddit
That is so pedantic it barely deserves a reply. Yes, fine, unless you work for one of those companies, it's not "their software." Good observation on subject pronouns.
I didn't think it was necessary for me to say, "software that your employer licenses and/or requires you to use in order to perform the function of the job you have been hired to do."
It's a shitty thing to make your employees do and a stupid thing to do from an infosec perspective.
I work for a small business and we are issued work phones for authentication with the option to instead use a dedicated MFA device. There is no good reason for a major corporation to be stingy about this.
PiotrDz@reddit
Let me explain the "personal devices" complaints. This is actually my personal experience when company from USA wanted all workers in Europe offices to install MFA on their private phones. People went mad! I think this is common misunderstanding between usa and EU job market. In EU when you are on permanent employment you loose a lot of perks vs contractors. You pay higher taxes. You cannot deduce your expenses. Days off are fully in control of employer. Remote work can be easily cancelled by employer etc. But instead you are told that employer must provide all means for you to work, this is one of "advantages".
And now imagine that you have to install company app on your personal device after all the assertions that employer will provide you everything you need to work. Also you look over your desk and see contractor deduce personal phone costs from taxes now because they are used to work in some part (maybe it is not so simple but you get me).
So I think it is fully understandable that people are not feeling good about that.
twopointsisatrend@reddit
But my employer will be able to spy on me and what I do on my personal phone because I've installed 'their' app on it!!!--More users than you'd believe, apparently.
techforallseasons@reddit
I have authenticator apps on my phone for MY use. My company's MFA TOTPs are hardware device and yubikeys because I told them that unless they pay a stiped for use of my phone it was no deal. I offered the alternative of the hardware and yubikeys (company provided ) and they have zero problem with that.
Protect your work / personal life boundaries.
felix1429@reddit
More people on this subreddit too, apparently. It would seem that fewer people subscribed here work in IT than I assumed...
_Allfather0din_@reddit
I tell my users, MFA protects you not just the company. Our user agreement for employees states that anything they do that is not in accordance to company security policies means they are immediately and solely responsible for any issues that arise. I tell them "if your account gets hacked and emails sent from it not by you, you will be fired right then and there". People then seem to love the idea of MFA and it becomes much less difficult for them to figure it out. I've realized a my company, you rarely have to use the whip but you really have to make sure the end users know you have a whip lol.
felix1429@reddit
I like the way you think, may have to keep that in my back pocket for certain users...
_Allfather0din_@reddit
Yeah and you don't have to be mean at all either, i always go "ohh sorry i know it's a pain but it protects you and unfortunately is company policy" even though i write the security policy lol.
felix1429@reddit
Oh I already use that line like a broken record, that tends to be enough to get people to move forward with setting it up, especially when they realize there literally isn't a way to log into their account until they set up MFA. The other line will be for anyone still trying to push back after I've gotten past all my usual stuff, lol.
creegro@reddit
MFA is annoying as it is, and harder to just tell users how to use it over the phone. Best to show them in real time what to look for and when to use it. Your screen pops up with a number so you should get a notification on your phone that has you put in that code and use a pin or verification to approve it...
But then the user asks what's a notification...
Kyla_3049@reddit
Maybe call it a "text message"?
lord_teaspoon@reddit
A "pop-up"?
OrthosDeli@reddit
Then they'll be more confused when they ignore the push notification and go to their messaging app.
Shazam1269@reddit
Over half of our user base had to have tokens. If/when they lose them we charge $30 to replace them. A couple have switched after theirs magically broke.
jimmy_three_shoes@reddit
We offer tokens to people that refuse to use their phone, and usually within a couple weeks, they're turning it back in because plugging their keys into their computer is too much of a pain in the ass.
killer2239@reddit
Or spend 15min with them scanning the Microsoft QR with a sponsored ad app with a similar icon that shows up first when searching for Microsoft authenticator. It just keeps not working until you finally ask them to explain the app icon and find out it's not the right one. Or they ask you why the app wants $50 and how they can get reimbursed.
felix1429@reddit
There's a reason I lead with "make sure the app you download has the same icon as the one on your screen, a blue lock icon with a silhouette of a person in it"
killer2239@reddit
Yeah but they still think it's the same because it's blue...
aard_fi@reddit
It is a valid complaint - the employer has to provide any tools required for work. Employees may chose to follow that request for convenience (like carrying one less thing) - but in no way are they obligated to do so.
I'm currently annoyed about banks pushing their mobile phone apps, while I want to hold on to a separate authenticator device.
felix1429@reddit
MFA apps aren't a tool though. Sure, Yubikeys and the like exist, but would you really be willing to quit your job or get fired for not wanting to set up an MFA app on your phone?
aard_fi@reddit
If you can't log in without it it is a tool. Now you may have the option between yubikey and the app, and install the app for your convenience - but you must have that option.
Getting fired over that would be a labour lawyers wet dream.
felix1429@reddit
Do you not live in the US? 49 states are "right to work" states that can fire you for essentially anything outside of a very specific, small number of reasons. It'd be hard to find a lawyer even willing to take your hypothetical case.
aard_fi@reddit
No, EU. After trial period has passed you pretty much can forget about getting rid of a specific employee, unless that one fucks up really, really bad.
felix1429@reddit
Ah, that makes a lot more sense. The US's worker protection laws are garbage, so employers here can legally fire employees who refuse to use their personal devices for app-based MFA. If you don't have a smartphone they need to provide you an alternative, but that's about the only time.
clemznboy@reddit
Yep. My wife doesn't have to do a certain task at work because it requires climbing in and out of trucks taking pictures. They expected her to use her personal phone. She said no. Management gave her some pushback, and then she asked if they would replace or repair her phone if she dropped it and broke it while she was doing said work task with her personal device. The answer was, of course, no. To their credit, they didn't give her grief about it after that, because they knew she was right.
aard_fi@reddit
It's also pretty stupid to not just provide a phone or camera for that task - those things are pretty cheap nowadays, even if you go for a hard to destroy version.
Bunslow@reddit
i personally really, really hate putting work related auth apps on my personal phone, it's a separation of concerns nightmare to me
burnerX5@reddit
At my last job in the new-hire phase they instruct you to do the RSA app and I was mad as hell thinking that I'd have to always pull my phone out WHILE a different job I had gave everyone RSA hard tokens.
It's my 1st day and I'm talking to the help desk tech, hammering that I used ot also be a help desk techn and saw he had a hard token and was like "ey...can I have a hard token???" and dude looked at me a few times and made the decision that he'd ask his manager, who then looked at me a few times on the sly and decided to cut me in.
Again, the idea of busting out my phone just to log into my work device ain't what it do!
NOTE: I used ot have to manage payment for RSA at that job and learned the costs...and understood why most got the soft tokens :) :) :)
depastino@reddit
I had a similar discussion with my wife the other day. She was complaining that she had to put Duo on her personal phone. I explained the it was used for MFA and she said "That's just DUMB." I told her that it was either that or a hardware token, and she said, "Oh, that little number generator? I HATE carrying those things." So using your phone is preferable, right?
"No."
felix1429@reddit
"Well, it's one or the other...:
NiiWiiCamo@reddit
I‘m currently debating my colleagues on this. Not every user has a company provided phone, and we are looking at the options of what we can provide for users who refuse to use personal devices.
It’s either everyone gets a (basic) smartphone, which requires some kind of phone plan and most likely an MDM,
We provide Yubikeys (my preferred option for those users), or
Everyone gets a licensed 1Password account, which can generate TOTP tokens, but in turn requires 2fa itself.
The least preferred option is that every user gets trained on KeePass. Apart from the Helpdesk resources this would waste, storing the database and master key is definitely a nightmare in our environment.
Personally I think option 2 is the simplest to manage, especially regarding the low amount of users that refuse to use their personal smartphone.
Unfortunately we deal with many legacy or non-SAML applications, so we are kind of stuck in a bind.
hawkshaw1024@reddit
Honestly, don't underestimate the rollout. As a tech worker, I have repeatedly been locked out of accounts due to surprise MFA.
(Plus sometimes services will just decide that you're logging in from a new device or a new location and throw a tantrum, but that's a different rant.)
killakadoogan@reddit
YUP! We had to implement hardware tokens for one of our clients because they are unionized and the union rules say the cannot use personal devices for any reason. PITA.
dustojnikhummer@reddit
Not PITA, finally a union was useful for something
dustojnikhummer@reddit
That is a 100% valid complaint.
sandmyth@reddit
I finally beat my employer into paying for a yubikey. my personal phone is bootloader unlocked, and rooted, your MFA won't run on it. You can pay for me to have a work phone, or order me a yubikey.
FraaRaz@reddit
Hey, no spoilers! ;-)
Brendoshi@reddit
Does feel like there should be a better way around this tbh. Especially once you start needing to use your device to setup accounts for third party IT for stuff like server connections.
I had 40+ different MFAs at one point
Vegetable-Topic9853@reddit
MFA *is* complicated because end users do not want to use it, and do not want to learn anything about it - and troubleshooting anything on their phone remotely is like trying to get your dog to roll down the car window. You can't see what they're doing and users *WILL* randomly jump ahead of you and just assume they need to tap random buttons they see or close apps you need open because of their 'limitless intuition'.
sarcastic_marmot@reddit
"... like trying to get your dog to roll down the car window."
I'm totally stealing that. 😂😂😂
dbear848@reddit
I'm a software developer so you would think that adoption would have been easy. We weren't allowed to use the in-house WiFi on our personal devices and the cellphone coverage inside our office was non existent. So we would often have to take our laptops outside where we could get a signal to do MFA.
Management of course had company phones that were allowed to connect to the WiFi, so they didn't see any problem.
The workaround was to install an app on our personal phones that would all WiFi access, but you had to agree that IT could wipe your personal phone whenever they wanted to. Most of us declined.
The problem was solved when we were forced to start working at home.
Hopeful_Extreme4084@reddit
the phone wipe is due to having company email on the phone and the ability to download company data from emails to your phone...
the MFA app has nothing to do with this.
Maxfire2008@reddit
Bruh, imagine not providing a separated WiFi network for your employees personal devices. Uh no, let's just manage every personal phone as if it were company property.
JohnBalcom@reddit
It’s clear you were trying to balance compassion with practical concerns. It’s hard to navigate family dynamics, but it seems like you made a choice that was right for your situation. It’s important to take care of yourself and your space.
af_cheddarhead@reddit
Sorry, not installing Microsoft Authenticator on my personal phone so I can login to my work laptop. Time to issue me a work phone.
Yep, I told that to the head of IA for the company. He just blankly stared at me until I explained that I did not install any work related software on my personal phone or computer due to security concerns.
Yep, I'm that PITA user.
BrotoriousNIG@reddit
And so you should be.
Hopeful_Extreme4084@reddit
no.
go talk to your god dam supervisor and HR - this is not ITs problem. Comply and work with YOUR COWORKERS in IT and take it up with people that make choices.
I honestly dont care if you cant work today, this week or this month. Im just here to get you in working order. You wanna be a PITA to those attempting to help you, good luck on your next IT ticket.
RelativisticTowel@reddit
They should be the ones with security concerns over me having the 2FA on my personal phone. I'm not worried about IT spying on my phone using an app they didn't even develop, but IT should definitely be worried about my phone's maker (and/or whoever paid them for the data) grabbing that 2FA code right out of it. Since the phone was bought by me, that could be literally anyone...
bmxtiger@reddit
The next fun comes when everyone replaces their phones without backing up/syncing their MFA codes and you have to reset 20 different sites for them to set it all back up again. I've debated on buying a slew of super cheap Androids to bolt to desks just for Google and MS authenticator.
sillymel@reddit
That would defeat the point of an authenticator app. It's supposed to be a "something you have" factor. Bolting the phones with the apps to the desks where the logins happen removes the usefulness as an authentication factor. It's essentially equivalent to writing your password on a sticky note and attaching the sticky note to the monitor.
Nubetastic@reddit
I once had a person who did not own a smart phone, tablet, personal computer, home internet or even a personal email.
funnyfarm299@reddit
If my company isn't paying for it, why should they be able to leech off mine?
Maxfire2008@reddit
You're paying tax on your home property which receives mail? Why should the company be able to leech off of that. Of all the ways that companies can "leech" off of employees this is the most imaginary.
PiotrDz@reddit
Well, you can turn your home into a shisha bar and mail will still come. You cannot root your phone and keep using MFA app. See how your example is lacking here? MFA apps are restricting some things you can do on your phone.
Maxfire2008@reddit
I'll admit the analogy is a bit shit, but it's not leeching to email someone on their phone or get them to install an MFA app. That said I do think it's not unreasonable for the company to issue a phone if the MFA interferes with the personal use of the phone.
PiotrDz@reddit
I have made broader post somewhere higher up here explaining that in EU it is even obligatory by a company to provide all necessary devices for work. This is a common think that I've seen in USA-EU relations. People were mad when company requested that haha
koosley@reddit
Requiring you to keep a cell phone on you at all times during the day? The company can provide a device for it. They used to provide RSA tokens not to long ago and they worked just fine. Using authenticator just saves them money as my expense.
I do work at home so it hasn't happened for a while but I have left my house without a cell phone before. Losing a phone or forgetting it or just not having one shouldn't cause issues at work. The authenticator apps also do track your location, if they need MFA, call my work number or email my work address.
funnyfarm299@reddit
My company doesn't say I have to work from home. I can work from and get my mail delivered to the office.
koosley@reddit
My company doesn't provide me with a smartphone or personal PC either. I do find it unreasonable to expect me to install non personal apps on my personal devices. I should be able to leave all personal devices at home and show up to work and expect to be able to work.
I do work in professional services and have VPN access into several dozen customers at any given point. Each has their own MFA and it's unreasonable to expect me to install 15 different apps for 30 different customers.
I do miss 10 years ago when we had actual RSA tokens...I did end up compromising and installed the apps on a fire tablet and it seems to work most of the time.
Ethan_231@reddit (OP)
What....
Nition@reddit
Hey, those people can still achieve a lot in their lives. They can even become cybersecurity minister.
RandomBoomer@reddit
My wife has a smartphone only because of possibly emergencies. She keeps it turned off most of the time, so it's usually not charged. She does have a desktop computer for browsing the news and doing genealogy research, but no longer has an email address. It kept malfunctioning (ISP issues), so she just stopped using it.
Not everyone's life is integrated with these "modern" devices. My wife would rather drive to a store and talk to someone face-to-face than phone them. Email and/or text are not an option she would even consider.
MyMartianRomance@reddit
Well, I'm not as bad as your wife, but I don't really call or text so therefore am using an ancient Galaxy 5s for just calling and texting and use a tablet for everything else since I hardly ever go anywhere that doesn't already have wifi readily available.
However, I'm going to have to get a sim card or a GPS device because the phone is so ancient Google Maps no longer functions on it, and I couldn't get Android Auto in my new car to work with the ancient phone or, of course, the tablet yesterday.
dustojnikhummer@reddit
FYI, some "senior phones", even those with android can use pogo pin based docking stations. She might not use it, but it would keep it charged and on at all times for those emergencies
RandomBoomer@reddit
Thanks, that's a possible option. Although if she has it on the charger, guaranteed she'll never remember to take it with her when she leaves the house.
We're a bit of an odd couple. I worked in IT (before I retired last year) and she has no use for modern technology.
purplemonkeymad@reddit
Time to get a yubikey setup.
1knightstands@reddit
Just as likely that’s simply what they told you cause they’re paranoid about being spied on by their employer
keeleon@reddit
The best part is how many end users refuse to have an MFA app on their personal device because they don't put work stuff on it. And yet somehow they (sometimes) use their personal brain to store "work passwords".
PiotrDz@reddit
Isn't it their right to demand that? It also restricts what can you do with your phone. Changing phones gets trickier too.
uniqualykerd@reddit
If my employer can afford to require I to use their MFA app, they can afford to give me a phone that can run that app.
keeleon@reddit
It's literally just a randomly generated number. How do you login to your banks website?
toilingattech@reddit
Biometrics
uniqualykerd@reddit
Not the point.
HMS_Slartibartfast@reddit
Please tell me you've already talked to your client about the need to provide the proper hardware for MFA. Seems it doesn't work well on older phones that people still have and use, say from 2008.
Kyla_3049@reddit
Exactly. Most people who still use feature phones cannot and will not switch to a smartphone. They will just quit immediatly.
HMS_Slartibartfast@reddit
Smart one's wont. They will request a smart phone from the company. If the company refuses to give them the basic item needed to log in, they can't log in. Not their problem. Company then needs to work out how to let them in while still paying them. They make the problem the company's problem, then company makes it OPs problem.
Kyla_3049@reddit
Only problem is will they know how to use a smartphone? My nan could barely use her feature phone. A smartphone would be like attempting alien contact.
HMS_Slartibartfast@reddit
Reason I posted "smart one's won't" is because the smart ones KNOW if the company requires you to use a smart phone to log in to your work account, then they had better provide you with said smart phone. If they convince you to "donate" your phone for MFA, then you'll be likely to "donate" you phone for Teams, Zoom, work Email, what not. Employers save money when they can get their employees to pay for the equipment they need to do their jobs. Smart employees get their employer to pay for equipment they need to do their job.
PiotrDz@reddit
Well said. So many people here defending companies and bashing the workers, it is amazing
Willeth@reddit
More recent than that. The iPhone 6S, released in 2017, can't install Google Authenticator and most others because it doesn't support a recent enough version of iOS.
hackmiester@reddit
The functionality of Google is built into iOS. Actually I’m a bit surprised OP says you have to scan the QR code with the authentication app. Is that Microsoft specific maybe?
Willeth@reddit
Do you mean Authenticator? On modern versions, perhaps.
The QR code scan is for initial set up, not for every time. It's a very standard method of setup for 2FA, as it can encode all the info you need without worrying about the user typing a long strong incorrectly.
hackmiester@reddit
HA, yes, that’s definitely what I meant, thanks!! I want to say the iPhone 6S is new enough to have this feature. At least on modern iOS, I haven’t run into any cases where scanning a QR code in the system doesn’t do the right thing. For instance, when logging into Discord it says to scan the code in Discord. But if you scan it from the camera, it works fine, just opens Discord. I don’t see why any authenticator app (Microsoft) couldn’t do this. I know it works for Duo.
Willeth@reddit
You haven't understood the issue, which is that the 6S is end of life, which means it does not get iOS updates. There are crucial security updates in later versions of iOS that the 6S does not have access to. Google Authenticator requires a higher version of iOS to avoid these vulnerabilities. As a consequence, if you don't already have it installed, it cannot be downloaded from the App Store.
Ethan_231@reddit (OP)
I had an iPhone 6 user the other day as she put it "my dummy phone because I refuse to give companies my information "
angrytwig@reddit
thankfully i haven't had any users like that. yet.
i do find that MFA scares the shit out of staff. the ones who don't have cell phones and use their office phone to auth. the popup comes up and they think they're in trouble. what really sucks is that when they pick up the instructional audio is cut off, which makes them even more anxious.
SGTFragged@reddit
I've run into the using the native camera app on MFA setup so many times now that part of my spiel is to talk them through adding the account via the app specifically.
hackmiester@reddit
Does this not work on Microsoft products or something? It works just fine in general on IOS, for TOTP and Duo at least.
nyhtml@reddit
Me: I send to them the download link Them: The App Store is asking for a password. Me: Sighs
Ethan_231@reddit (OP)
Yes!
nyhtml@reddit
I have an old iPad that I now use when I encounter these users.
Over Teams or QuickAssist, I can see their screen, scan the QR code to set it up, and then deregister since SMS (luckily) is a secondary login option.
CantEatCatsKevin@reddit
I did IT for a private school for a bit. Try walking teachers through setting up authenticator.
It actually is probably easier because they listened to me like I was god vs trying things on their own…
Michelli_NL@reddit
One of the universities here in the Netherlands (Utrecht) decided to give Yubikeys to their employees. Apparently works pretty well, even for the non technical employees.
Ethan_231@reddit (OP)
I haven't had the pleasure of working with teachers. I imagine they would understand the need to listen to someone with expertise in the subject haha.
1knightstands@reddit
With teachers, always take the extra 5 minutes to clearly explain why it’s worth their time. If they buy into the reason, they’re good listeners and will act rationally. If you skip it, and treat them like children who should just trust you being the big smart IT guy, you’ll instantly lose their buy-in.
I think that actually goes for the vast majority of users - people always skip the explanation, and it causes more headaches in the long run, than if you just slow down, explain the why and then proceed.
Maxfire2008@reddit
What you said about teaching teachers is shockingly applicable to students too.
Kyla_3049@reddit
angrily WHY tf do I need this goggle authicake thing?
Gallows-Bait@reddit
You'd think that, but you'd be wrong. My brother worked in school IT for years and has had teachers turning up one day before term started asking them to add 60 apple computers to the network that no one in the school had even authorised them buying, let alone thought about cabling, routers, software licenses, domains or anything. They just had computers delivered and expected it to be magically sorted.
bhambrewer@reddit
I hope your brother weaponised "no"?
CantEatCatsKevin@reddit
You’d think that. They were the worst listeners in a group.
zeus204013@reddit
This is very frequent to me...
toilingattech@reddit
Or saying “NO” when asking to allow notifications from the app… and wonder why it’s not working…
Ethan_231@reddit (OP)
At least I'm not the only one!
capn_kwick@reddit
Right now (and for the past few years) the work place has provided cell phone with pre-installed apps for doing work related functions (and we're told not to put anything personal on it).
But if I were faced with a prospective employer would would demand that they want me to install their app on my phone, it will become "my rates for your app on my phone are $X per month. Sign here if you agree. Otherwise the business supplies the phone.
It does help that I'm fully retired and don't need a job so I can be picky about who I might want to assist.
GodOfUtopiaPlenitia@reddit
MFA is over 20 years old, and we've been downloading Apps for over 15 years. Being too stupid to follow a list of directions or "not being good with tech" in a typically UNIONIZED role/sector for stuff this old should be terrifyingly painful.
fresh-dork@reddit
everything is complicated when you're dumb
BrotoriousNIG@reddit
You expect us to believe that a user would just lie like that? They would just straight up say something that isn’t true?
Ethan_231@reddit (OP)
Lmfao
Thelmara@reddit
We have a system whose MFA setup QR code, if scanned with a non-authenticator, gives a valid 6-digit code to log into the website. So idiot users try to sign in, get confronted with the MFA signup, scan it with their QR code reader instead of the authentication app, and then the site lets them in and marks them as having set up MFA.
Then the next time they try to log in, they get nothing, because the system expects the code to come from the authenticator. And we get to walk them through the process of "reading the instructions".
bluedonutwsprinkles@reddit
I recently changed phones. New one is not set up on ms app. I just use the text option now. I prefer it.
Shasla@reddit
Sms is so slow sometimes. Ms authenticator isn't the best either though. Personally use bitwarden for mfa. So fucking convenient having it put the one time code straight into my clipboard after it fills in username and password on a site.
green_link@reddit
Texting a MFA code is also stupidly insecure
nerdguy1138@reddit
Bitwarden kicks all kinds of ass!
I remember when I found the OTP feature, it's so slick. You can basically merge MFA with a password manager.
The only slightly annoying thing is having to manually assign MFA seeds to accounts, but I suppose you'd have to do that anyway, and it's a one-off thing.
MattDaCatt@reddit
I once triggered a full blown marital fight over this ticket scenario. Took about an hour and 15 minutes to download the MFA app and scan the QR code, with her husband trying to help guide her
Supporting personal smart phones is hell
Speijker@reddit
Working at a large company, setting up MFA with a user can take either 2 minutes... or three hours.
(The appreciation of not-so-techy people I'm actually able to stay on the line with them for that whole time is great though)
techyno@reddit
The hardest one for these types to master is switching between apps on their phone when having to reauthenticate their accounts
Spiritual_Grand_9604@reddit
Because of Covid people see a QR code they whip out their cameras, I can't fault them for that
SapifhasF@reddit
Ah good old Service Desk hell. Good times
mercurygreen@reddit
It's almost like they don't actually have basic security at infrastructure points. UNTIL THEY GET HIT WITH SOMETHING AND I DON'T HAVE POWER FOR THREE WEEKS.
nerdguy1138@reddit
Senator: it's just a water plant, it doesn't need security upgrades!
thing happens
Senator: Water plant IT guy, HOW COULD YOU LET THIS HAPPEN?! DO YOU HATE AMERICA?!!
izibellz@reddit
Wait until they need to log in next and have forgotten everything that you showed them, including what the app is, what it's for and how to use it. Then: 'I never set this up!! I have no idea who set this up!! WHAT IS THIS??!?!!'
Source: We rolled out mandatory MFA on our customer login portal earlier this year.
12stringPlayer@reddit
I have no problem with MFA in general, but some implementations are terrible.
My company was doing fine with a login/PW + authenticator app, now they're rolling out a new MFA system that requires biometrics (either face or fingerprint scan) or a Yubikey and it's not working for a LOT of people. It's a nightmare.
Ironically, a couple of years ago they'd disabled the fingerprint scanners on the laptops they provided as insecure, not they want us to use either that or the internal camera for a face scan. But as someone who RDPs into the laptop which I leave on a side table with the cover closed, I've apparently totally confounded their workflow. They won't use an external webcam, only the internal device, and the Yubikey won't work through the RDP session, apparently.
And my Linux VM?? Fuggedaboutit, they don't even seem to understand that workflow. They seem to think everyone just works in front of the laptop looking at that tiny screen and typing on that tiny keyboard.
At least I can still fall back on the password/authenticator MFA, but if they pull that, I'm sunk.
dustojnikhummer@reddit
I never considered WHfB over RDP
Mehere_64@reddit
Did you provide them with documentation on what needs to take place? Screen shots etc?
Ethan_231@reddit (OP)
Oh yeah, I sent them download links and everything.
NightMgr@reddit
Poor planning can factor in.
“It’s a felony for people to have cell phones in the jail and they are not always near a phone. What was the planned solution for them?”
Uhhhhhhhh
Dannyhec@reddit
What’s your phone number? I’ll have my dad call you.
Ethan_231@reddit (OP)
Im good!
AaronCorr@reddit
My father was absolutely stumped why I can't just use the 2FA pin he got the first time he logged into our family word account.
I was like: "Dad, you know how 2FA works. You get a new pin everytime a new device tries to log in" And he went: "Of course I know how how it works. Use the old pin I sent you"
I decided it wasn't worth the effort and used Libre Office.
Mind you, my father can code simple things, built his own website, fixes simple electronics, and has worked in a corporate position with several generations of IT security measures. But Microsoft Office 2FA was a complete mystery to him
skribsbb@reddit
Me: "Do you have any PST files?"
Customer who has been throwing out IT buzzwords left and right: "No."
Reimage...
2 hours later.
Customer: "Where's my email file?"
easylikerain@reddit
PST files are an evil creation. Help users move 50GB files every time they have to wipe their asses. Move to 365 and fight your users at every step.
Of course, then you move to 365 and find out giving them cloud storage discourages mailbox cleanup.
MorpH2k@reddit
That one is kind of on you though. Never assume that the user actually knows what they are talking about, and especially when it comes to acronyms, file endings and other specific tech jargon.
ferengiface@reddit
Yeah, I wouldn’t even ask, I would just look.
RevolutionaryOwlz@reddit
I had to help run an MFA implementation for mostly people working at public media stations. You can imagine how well that went.
lost_in_life_34@reddit
i work in devops and setting it up was tricky for me. we used to use RSA and switched to MS. I ended up having to delete every other MS account in my authenticator app and start with the corporate one and then add the personal ones back or else it wouldn't work
SudoDarkKnight@reddit
My college recently forced MFA for all students and frankly, it's been utter hell annoying to have to support.
This_guy_works@reddit
If you are an MSP, perhaps train a few "super users" at the client you work for, and then they can go around and help set people up. But also, this should be established in the scope of work when agreeing to onboard them with MFA.
Ethan_231@reddit (OP)
Thats smart!
Styler_GTX@reddit
Hey I've seen this post today somewhere else.
Ethan_231@reddit (OP)
Someone else mentioned this sub so I put it here too haha
creegro@reddit
Overzealous users are some of the worst, thinking they are being proactive my moving, editing, changing or just deleting things before getting an answer if that's ok. Then OOPS we messed it up and can't use the thing anymore cause we changed it up too much, forcing IT to do a reset on it, or hoping a reinstall would fix it maybe.
But on the other hand, MFA is sometimes the worst thing ever and it tries the hardest to be annoying, especially from Microsoft.
Our ticket system was just fine before MFA came along, then suddenly we are getting booted out after 1 minute, 1 hour, randomly. Oh you just logged in and wanted to update a note? Too bad, log it in again...
ac8jo@reddit
Yup. "Put this number into the authenticator app" -> unlocks phone with fingerprint -> gives phone number and says 'yes it's me trying to authenticate' -> "Scan your fingerprint"
It seems like there's a couple of extra steps that may not be needed. OTOH, nobody is going to break into my work's network.