Someone I know is battling with their work over the 2-factor app they want to put on all employees private phones. I had a couple of comments when they told me...
a) They aren't paying for the devices, so why should they be putting anything on someone's personal device?
b) How can they guarantee the device is not compromised in any way?
Some of the staff have older phones or just don't bring them to work - which they've been told to suck it up because even if they can't install the app due to and outdated phone:
c) they'll do sms 2 factor for those folks.
WTAF.
It feels like this Microsoft pushing provider they changed to, is just trying to check boxes instead of doing what works best for the client. Like also forcing them to use Edge instead of chrome even though the website the have to use fir paet of their job doesn't even work on Edge... and most of the staff just installed chrome to be able to do their jobs. Somehow installing chrome gets around the administrator requirement for installing too, which amused me immensely.
My #security thoughts are: if you make it so staff can't do their job, and they go around your restrictions in order to actually do work, then you've actually increased attack surface by unknown amounts, and made the site less secure.
But I don't work in IT, so WTF would I know.
nigel /
npub1v5…pcy8p
2024-03-09 05:49:06
Author Public Key
npub1v5uq20fj7pk2c7hmanpqew2n2ezxpat6xasxnkft3j9h4z6xf9nqapcy8pPublished at
2024-03-09 05:49:06Event JSON
{
"id": "b8742ba27ff60300450e35c78bcaed5500fcdd12b49f59160749da497d2364bc",
"pubkey": "6538053d32f06cac7afbecc20cb953564460f57a376069d92b8c8b7a8b464966",
"created_at": 1709963346,
"kind": 1,
"tags": [
[
"t",
"security"
],
[
"proxy",
"https://snac.lowkey.party/nigel/p/1709963346.163032",
"activitypub"
]
],
"content": "Someone I know is battling with their work over the 2-factor app they want to put on all employees private phones. I had a couple of comments when they told me...\n\na) They aren't paying for the devices, so why should they be putting anything on someone's personal device?\n\nb) How can they guarantee the device is not compromised in any way?\nSome of the staff have older phones or just don't bring them to work - which they've been told to suck it up because even if they can't install the app due to and outdated phone:\n\nc) they'll do sms 2 factor for those folks.\nWTAF.\n\nIt feels like this Microsoft pushing provider they changed to, is just trying to check boxes instead of doing what works best for the client. Like also forcing them to use Edge instead of chrome even though the website the have to use fir paet of their job doesn't even work on Edge... and most of the staff just installed chrome to be able to do their jobs. Somehow installing chrome gets around the administrator requirement for installing too, which amused me immensely.\n\nMy #security thoughts are: if you make it so staff can't do their job, and they go around your restrictions in order to actually do work, then you've actually increased attack surface by unknown amounts, and made the site less secure.\n\nBut I don't work in IT, so WTF would I know.\n",
"sig": "0870d793a644fa43984cd5ac5fd281fcd1b17131a958609b8bab0957b8a4986499886712c9240471d6e4a5ff39c9f583b5f69470ec8c2b1436a07de8709cf7b6"
}