I'm currently in a bit of a conflict with a new senior sysadmin who insists on using backup codes sent to Slack DMs for onboarding temporary staff, since they don't have company-issued phones as per our privacy policy. I've been in this company for five years, navigating security as it grew from 10 to nearly 100 employees, while he's only been here for nine months. I raised concerns about session controls and MFA prompts since he previously allowed a new hire to use backup codes for two months without anyone noticing.
While I see backup codes as a temporary solution, I'd prefer implementing biometrics, as we do have laptops with fingerprint sensors and face ID. I tried getting clarity from him on why he's so adamant about backup codes, but he just dismissed my questions and reported me to management for not listening to him. I'm worried about approaching the next meeting with him—it feels like I'm questioning an expert, but I think the solution could be better. Am I really out of line here? What would you do in my situation?
1 Answer
I think using a hardware token like YubiKeys or FIDO2 keys would be the best approach—much more secure than backup codes. Backup codes should definitely be a last resort. If they're using Slack for MFA, it seems overly complicated when there are simpler methods without needing personal devices at all.
That's true! If the company's using Google Workspace, TOTP or FIDO keys could work without needing personal devices. Sounds like a no-brainer!