So recently my work, a mid sized engineering firm, decided to start upgrading their IT security. The rumor is that we have potential DOD work coming our way. Over the past few months there has been multiple company decided changes to our 2 factor authentication mobile app. I willingly installed the app on my phone over a year ago because without it I could no longer use my laptop out of office and couldn't use Microsoft teams or outlook on my phone.
So about 2 months ago my company updated the 2FA policy and because of that, my phone is no longer compliant on the basis of it being to old. The initial consequences were that I lost access to email and teams on my phone, not a big deal because I prefer not to think about work on my off hours. Fortunately, I could still use a txt message to 2FA into my laptop incase I did need to work from home.
Fast forward to last Friday, our IT director sent out an email saying they were again making changes to the 2FA policy over the weekend. Among other things, the changes included removing the txt 2FA option, meaning I could no longer access anything work related as soon as I step out of my office building. Sounds like a dream right, and a good excuse to fall back on.
Come Monday, I find out that I need to use the 2FA app to access our payroll software to fill out my timesheet, even when I am inside the office sitting at my desk. Luckily, I filled out my previous weeks timesheet on Friday. So next Monday, as far as I'm aware, I will not be able to fill out my timesheet to get paid.
My situation: I will admit I am stubborn about buying new electronics, my phone is a Samsung S8 that I bought in 2017 when it was brand new. I currently see no benefits of anything the new phones have to offer but the day my phone decides to die, I will gladly walk into a store and buy a brand new android phone. My work does not provide cell phones and has refused my request to compensate me for my work related phone usage. I have been very vocal to my manager and bosses that they cannot force me to buy a new phone just to continue doing my job efficiently, and now it seems doing my job at all. The responses I have recieved were very indirect and not at all helpful to my situation. Really, I just want them to give me an ultimatum or some other option. I am not willing to lose my job over this but I dont want to give in and buy a new phone just so I can click OK on an 2FA app.
So Lemmy, how should I approach this ticking time bomb?
Any company taking 2FA seriously will either compensate you for the requirements to fulfill that security, or provide you with the devices necessary. I used to work at Duo. I currently work for another company that does more or less the same thing. Your company's security team will do whatever it takes to get you compliant because not doing that is on them and not you.
It's honestly wild for a company to allow an employee to be on the verge of locked out of critical services and not be resolving that on their own. They have the metrics in duo to be able to see that you have no viable device to 2FA with.
Oh they knew my phone was outdated, and so did I based on a direct email to me but I was not made aware of the consequences for non compliance and therefore could not react accordingly. That's why I am in the spot I'm at, willing to fold but still looking for alternate routes.
It's the IT department's job to make sure you have all the hardware you need to do your job. While not being able to track your time is something that affects you more than it affects the company, it's still part of the job.
It is certainly not your job to buy new devices with your own money. Also, I would highly advise your IT department against letting you use a private device that you carry around in your free time and even on vacation as your second factor. Anything that can be used to access your work data should never be with you when you're getting drunk in a bar.
If you're financially stable enough that getting paid a few days late doesn't hurt you too much, I would recommend you ask IT for a new phone (that you will only use for work!) and hand in your time sheets in whatever form is the least convenient for HR until the problem is resolved.
What they're saying is that you should never be expected to get a new private phone yourself, it's their responsibility to get one for you. Just ask them to give you a device with which to do 2fa with.
Agreed. I'm a sysadmin and manage Duo for my org. They should provide you with a device that complies with their policy or make an exception for you. They won't do the latter, so the former is up to them to solve.