I'm currently facing a dilemma at work regarding the use of multi-factor authentication (MFA) apps, specifically the Microsoft Authenticator app. We primarily use iPhones through Apple's Business Manager, but keeping up with Intune updates is getting costly and cumbersome. Employees aren't really using their phones for much beyond MFA since we rely on Teams for communication.
Given the financial pressure to cut costs, our boss is suggesting that staff use their personal phones for MFA apps and do away with company-issued devices. This would mean allowing access to customer MFA apps on their personal devices. I personally don't mind this shift if it's deemed safe, but I'm curious about potential security risks. Can anyone offer insights or alternative solutions that could address these issues?
7 Answers
In theory, allowing personal devices for MFA should be safe. Sure, there's a risk if someone has a malicious app on their personal phone, but the reality is there are lots of businesses doing this without issues. Just be prepared for some pushback from staff—they might want compensation for using their own devices. Depending on your location, you might need to clarify this requirement in the employee manual.
Why not just buy some basic Android devices specifically for MFA? That way, you can manage those through Intune still, and it ensures they are used solely for that purpose. You can set them up securely with MDM too. Just be cautious about how long those cheaper Androids will stay supported with updates.
Running the Microsoft Authenticator on personal phones can work just fine. If you're worried about security, you might also consider offering YubiKeys as an alternative. They can provide an extra layer of security and are relatively affordable.
That’s how we handle it too! Staff can use the Authenticator app on their personal devices. But if they want access to other 365 apps, they need to enroll their devices through Intune.
In compliance frameworks like CE+, using MFA apps on unmanaged devices is often accepted. Just make sure everyone knows what’s safe and compliant with company policy.
Using the Authenticator app on personal phones is pretty common these days. It’s well-protected and regarded as a normal use case by Microsoft. The key risks usually come from things like lost phones or users not cooperating when they leave the company. As long as it's strictly for MFA and not giving access to other company data, it’s generally okay. Offering YubiKeys as an alternative can also keep staff happy.
Next year Microsoft plans to block MFA credentials on jailbroken or rooted devices. That should add extra security for using personal phones.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures