It is pretty common to use an app on your mobile phone for 2nd factor (Google Auth, OKTA, Microsoft).
This is OK as long as we access the apps from a workstation.
This changes when more and more apps being accessed from the Mobile Phone so, how are security folks handling this situation
You must complete a risk-based analysis based upon the users, risk appetite, the organisation in question and the data secured.
This may include considerations such as;
- the classification level of the data
- results of the organisation's risk assessments
- any regulatory requirements governing data
- the security maturity of the organisation
Once this has been completed it's findings should be used to implement an overall policy.
Users handling secure data may be disallowed to use mobile phone's at all. Most capable multi-factor authentication systems allow policies that can restrict the ability to install the application on a mobile phone.
Some organisations have granular control, over their user's devices, with a Mobile Device Management applications. In this scenario, it may be prudent to allow corporate users to use their work's mobile phone for authentication with a phone application.
Others may even allow personal mobile phones; if the data handled is not classified or the risk is low.
It is important to remember to use an Application rather than a Text to receive the second factor for authentication. There are too many exploits available for Text-based multi-factor.
We used MDM to push certs to a phone - that's a what you have. Access to the phone is PIN or fingerprint (what you know or what you are) so it's 2 factor. Application being accessed is cert required. This wasn't an easy path to do this, getting certs to work with some apps isn't easy.