A coworker of mine, who is a sysadmin, recently upgraded to a new phone and handled the data transfer himself. However, he noticed that his Microsoft MFA tokens didn't seamlessly transfer over when switching from one Android device to another. He utilized an export/import method where the old phone displayed a QR code that was scanned by the new one, allowing all data to transfer successfully.
While this worked, it raised a concern: what if someone goes to a phone store for assistance, changes their PIN to allow the sales rep to help with the transfer, and accidentally leaves their old phone behind as a trade-in? Suddenly, their MFA tokens are in someone else's hands. I pointed out a few key points:
- His phone is secured with a PIN, but the Microsoft Authenticator app isn't protected by a second layer of security on his device.
- His password manager remains secure.
- We face the challenge that not all employees take these precautions, especially if they don't see the potential risk.
- Our policy does not require personal devices for MFA; we support software TOTP as well.
- Users can bring their own devices for MFA usage.
Clearly, we should be ensuring old devices are wiped clean before they're traded in and that the original PIN isn't shared with anyone. I'm thinking about how to be more proactive and possibly force re-enrollment in cases of new phones, but not everyone may communicate this need to me. What are some strong strategies to handle this situation? Should I enforce PIN protection on personal authenticators or consider eliminating BYOD altogether? I'm looking for some input on best practices here.
2 Answers
I think you're stressing this a bit too much. Most phone stores won't let you trade in a device without wiping it first, as they're concerned about MDM, activation locks, and passwords. Plus, if the sales person had access to your coworker's password, that would raise a lot of red flags.
Wiping the phone before trading it in is key, and it’s a standard practice. Sure, it’s easy to theorize about potential risks, but the likelihood of it causing a major issue is quite low. Focus on educating users to avoid handing their PINs to anyone. That’s where the real risk lies.
I get that. But what about those who aren’t as security-savvy as your coworker? We need to think about reinforcing the importance of good practices to ensure everyone is protected.