I recently started working as a systems administrator and we're looking to enhance our security by requiring two-factor authentication (2FA) for all users' Microsoft accounts using Microsoft Authenticator. However, I'm facing significant pushback from HR regarding privacy concerns. It's important to note that employees aren't mandated to use their personal devices for this; they can choose to receive 2FA codes via text, desk phone calls, or even use a physical token. I'm trying to determine what policies HR should implement to make this requirement possible. Do we need to consider bringing in BYOD (Bring Your Own Device) policies, even though we're only allowing the authenticator app on personal devices without any other work-related access? I'm located in New York, and any insights regarding local laws would be appreciated!
5 Answers
This shouldn't really fall under HR’s domain. A higher-up meeting may be needed to clarify roles here. Also, steer clear of SMS for authentication—there's a lot of evidence against its safety. Offering a desk phone or hardware token should be sufficient. My trick is to employ what I call the 'gas station bathroom key' method, where users get a dedicated device with the authenticator app installed, but they have to sign for it and are responsible for it. Most people eventually choose to just use their phones anyway.
It's smart to keep explaining that the app won’t invade their privacy, just try to keep this clear from the start.
Honestly, you might not need any specific HR policy to enforce 2FA. It sounds a bit extreme that there's so much pushback on this. Just explain clearly to employees that the app doesn’t access their data—its only purpose is to generate a login code. You might still get some resistance, but transparency is key!
I feel you on that! My HR rep seems to have it out for me too, making things a lot harder than they need to be. It's tough when they react defensively.
Exactly! It seems every company has a similar phase of pushback. It’s wild to see how resistance has changed over the years.
Having a user acceptance agreement for those who opt to use their personal devices could help. This should outline both party’s expectations clearly. Also, integrating this with a BYOD policy might streamline things since you currently don’t have one, and it's crucial to establish guidelines for using personal devices for work.
Good idea! I’m already working on a BYOD policy, and it seems like it may need to be included in our employee handbook as a requirement for employment.
Yes! It’s better to have some policy in place than leave it undefined.
When drafting your policy, consider wording it like this: "2FA is mandatory for all staff. Employees can install an approved MFA application on personal devices or request a hardware token. If tokens need replacing, they'll be charged to the employee at cost." And for security reasons, I’d advise avoiding SMS for 2FA, as it’s not very secure.
I've been through similar situations before. One good workaround is to use a solution like Windows Hello instead of requiring apps on personal devices. It avoids any issues with privacy and doesn’t involve any extra hardware. It might be worth exploring that option!
Not sure Windows Hello will solve the issue here though. While it’s a decent alternative, I’d avoid introducing additional costs like Yubikeys if you can, especially since people tend to lose them.
Just a heads up, many organizations actually don't accept Windows Hello as a valid 2FA solution, which can be frustrating.
Oh man, that sounds like a challenging situation! I'm pushing hard for desk phones as an option, away from SMS due to its vulnerabilities.