topic Re: MFA for Office365 for users refusing to use personal devices in Privacy

MFA for Office365 for users refusing to use personal devices

CISSP-Surf — Mon, 09 Oct 2023 09:44:28 GMT

Greetings Fellow Security Members,

We are currently in the process of rolling out and enabling MFA for all Office365 accounts/users.

For those who've already done so, what strategy or approach have you taken for employees who
refuses to setup MFA on personally-owned devices?

Thanks in advance!

Re: MFA for Office365 for users refusing to use personal devices

CraginS — Tue, 29 Dec 2020 17:11:34 GMT

RSA SecurID or a competitive One Time Password (OTP) system.

I realize this is more costly than sending codes to personal devices, but I believe it is a very legitimate to refuse to use personal devices for office work. Enterprises should step up to the plate and accept the costs of doing business without trying to foist business use onto personal devices.

Craig

Re: MFA for Office365 for users refusing to use personal devices

CISSP-Surf — Tue, 29 Dec 2020 17:28:49 GMT

Greetings Craig,

Thank you very much for your time, reply, and recommendation! I think you have a good point regarding the legitimate refusal to use personal devices for office work. Enterprises should indeed look to step up and make available acceptable options as security needs change & arise.

Thank you for your insight and reply!

Re: MFA for Office365 for users refusing to use personal devices

tmekelburg1 — Tue, 29 Dec 2020 20:39:24 GMT

We're going through that process now but applying MFA for VPN access. Basically it was either install it for remote access or don't. If you don't install the app you lose remote access and have to come into the office to work.

Re: MFA for Office365 for users refusing to use personal devices

JKWiniger — Tue, 29 Dec 2020 21:28:21 GMT

@tmekelburg1 I agree with this approach. What it really comes down to is if the company deems it wants to go with MFA to increase security, either for compliance reasons or just to enhance their security then that is what happens. A policy is made and it gets implemented. The use of a personal devices varies from company to company, some pay for the device and the bill others do not. I think it really comes down to how much the device would be used for company business. One could argue that your boss couldn't call you on your cell because that would be using it for business. It's all a matter of where you draw the line.

I think what is really needed to find find out why people object to is and asking them what solutions they would suggest. You can come up with a lot of different solutions but if you don't communicate that this is now required and work with them to negotiate an acceptable solution or compromise you might just end up going in circles, but if the end, this is our policy, then end!

I would like to know what other think about this, a level of acceptance is always needed but there are always those who just try to refuse changes and sadly sometimes those people may need to find a different place.

Just my .02

John-

Re: MFA for Office365 for users refusing to use personal devices

CISOScott — Tue, 29 Dec 2020 21:32:06 GMT

@CraginS wrote:
RSA SecurID or a competitive One Time Password (OTP) system.
I realize this is more costly than sending codes to personal devices, but I believe it is a very legitimate to refuse to use personal devices for office work. Enterprises should step up to the plate and accept the costs of doing business without trying to foist business use onto personal devices.

Craig

We also did what Craig said. Used a hardware based token set up for use with our MFA system.

I will partially disagree with Craig on one point. I can agree against making them use their personal device to perform work on, like checking email, etc. but I do not see using a personal device for MFA as intruding on to their personal ground too much. I personally know of several other sites that require me to use MFA solutions like Google authenticator to access their websites. It is not that burdensome of a process. We will probably disagree or say that it opens Pandora's box of what comes next. First MFA then what? but this is just my 2 cents (opinion).

Re: MFA for Office365 for users refusing to use personal devices

CISSP-Surf — Tue, 29 Dec 2020 22:35:38 GMT

Greetings tmekelburg1,

Thank you for your time and response. I appreciate you sharing your current situation applying MFA for VPN access and your approach to install it for remote access or not have the ability to utilize those technologies. I'm in 100% agreement with you from this perspective for sure. Thanks again!

Re: MFA for Office365 for users refusing to use personal devices

CISSP-Surf — Tue, 29 Dec 2020 22:51:56 GMT

Greetings John,

Thank you for your time, response, and feedback. I think you hit the nail right on the head regarding having a clear policy in place and implementing. As you've mentioned, it comes down to how often the device would be used and where that line is drawn. I think organizations have been taking full advantage of BYOD and to properly manage and maintain the right level of security for these new "enterprise devices" a policy must be in place and communicated effectively.

Also as you've suggested, I did reach out to some users to better understand their resistance as well as fully explain why enabling MFA has become a standard best practice. The main points I shared include: 1) enhances security to their accounts; 2) informs them of unusual activity of someone trying to gain access to their account to access compnay data or send/receive information on their behalf without their knowledge.

I did offer the option to carry around an additional hardware authentication device (i.e. Yubikey) and that idea was less received than utilizing one's own mobile device for MFA setup.

Again I think you are absolutely correct, along with clear policy messaging, some level of acceptance is required but also an additional option may be needed or provided for the small percentage who's unwilling to use personal devices for business use.

Thanks again for your time, response and feedback!

Nick

Re: MFA for Office365 for users refusing to use personal devices

CISSP-Surf — Tue, 29 Dec 2020 23:00:23 GMT

Greetings CISOScott,

Thank you very much for your time and feedback. I truly appreciate you sharing how you and your team used a hardware based token for use with MFA. I definitely think it's the way to go! I think it is definitely our responsibility to ensure staff members know exactly how the process works and the reasons behind our push as a top priority as workers access the organizations data from any location.

You also bring up a great point on how several other sites require the use of MFA for example most if not all banking access will require some form of additional authentication, or even big brand corporations especially after an incident occurs; the first thing they would recommend is to enable MFA for the best protection against unauthorized access. This is certainly credible information which can be used to enhance those necessary one on one conversations.

Thanks again

Thank you very

Re: MFA for Office365 for users refusing to use personal devices

JKWiniger — Tue, 29 Dec 2020 23:28:40 GMT

@CISSP-Surf I just feel like making a stronger point of getting their ideas. I think we have all run into situations where people simply do not like our solutions to things, and it's easy to say you don't like something but when you ask, well how would you do it, or what is a better way since you don't like mine people tend to be more agreeable because then they have to think about it and often don't have an better ideas.

I have always found it interesting how fast people who do not try criticize those who do!

John-

Re: MFA for Office365 for users refusing to use personal devices

CISSP-Surf — Wed, 30 Dec 2020 00:58:08 GMT

@JKWiniger you certainly make an interesting point. It's very easy for someone to dismiss another persons solution, but asking for feedback/recommendations do make those folks think about it in a different way. I think I'll start implementing your strategy moving forward, which opens the door for deeper conversation and where I can get staff more engaged in the thought process and strategy behind our solution selections & implementation.

I'm fairly confident I'll see some of the same the results you've experienced where folks are more agreeable.

Thanks again,

Nick

Re: MFA for Office365 for users refusing to use personal devices

tmekelburg1 — Wed, 30 Dec 2020 13:34:35 GMT

@JKWiniger wrote:
I agree with this approach. What it really comes down to is if the company deems it wants to go with MFA to increase security, either for compliance reasons or just to enhance their security then that is what happens. A policy is made and it gets implemented. The use of a personal devices varies from company to company, some pay for the device and the bill others do not. I think it really comes down to how much the device would be used for company business. One could argue that your boss couldn't call you on your cell because that would be using it for business. It's all a matter of where you draw the line.

For us, it was to increase security. We typically hand out COPE, company owned personally enabled, mobile phones for workers who need to always be connected.

@CISSP-Surf I haven't really thought this out long term because we would never, at least not at this point, have BYOD in our regulated environment but maybe adding an extra $5-$10 a paycheck for staff who choose to use their own devices? Just as an incentive for saving the company money.

Re: MFA for Office365 for users refusing to use personal devices

CISOScott — Wed, 30 Dec 2020 14:54:22 GMT

@JKWiniger wrote:

I think what is really needed to find find out why people object to is and asking them what solutions they would suggest. You can come up with a lot of different solutions but if you don't communicate that this is now required and work with them to negotiate an acceptable solution or compromise you might just end up going in circles, but if the end, this is our policy, then end!

I would like to know what other think about this, a level of acceptance is always needed but there are always those who just try to refuse changes and sadly sometimes those people may need to find a different place.

Just my .02

John-

@JKWiniger This part in bold will enhance any CISSP's career. If y'all do not get anything else from this conversation understand the part in bold above. Find out why people are objecting to whatever security idea, policy, procedure, whatever, you are proposing or enforcing..

Maybe they have a misconception and think that if they have MFA on their personal phone then they will be required to do work on personal time, or that they can be tracked by the company, or that by having this on their phone it opens the possibility of their phone being seized if a lawsuit happens, etc..

I have seen more InfoSec careers derailed by people not understanding this principle of "Seek first to understand and then to be understood" and just trying to force security on people.

Infosec is not tyranny, it is symmetry.

Re: MFA for Office365 for users refusing to use personal devices

gidyn — Wed, 30 Dec 2020 17:30:30 GMT

https://authenticator.cc/ might help if it's compatible with Office365 and your security policy.

Re: MFA for Office365 for users refusing to use personal devices

CISSP-Surf — Wed, 30 Dec 2020 20:42:42 GMT

@tmekelburg1

Hmmm I never really thought about providing some incentive for not only saving the company money long term, but also to create internal ambassadors to assist us with getting others on the same page. Thank you for sharing these insights with us!

Re: MFA for Office365 for users refusing to use personal devices

CISSP-Surf — Wed, 30 Dec 2020 20:45:38 GMT

@gidyn thank you for your time and feedback. We'll check this out and see what it can offer.
Thanks again!

Re: MFA for Office365 for users refusing to use personal devices

JKWiniger — Wed, 30 Dec 2020 21:11:47 GMT

I just want to take a moment to thank the newer people for contributing and starting this thread. To me, it's really why we are here, to think about things and try to think of what we could or should be doing! So thank you and please keep it up!

John-