cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
CISSP-Surf
Newcomer II

MFA for Office365 for users refusing to use personal devices

Greetings Fellow Security Members,

 

We are currently in the process of rolling out and enabling MFA for all Office365 accounts/users.

For those who've already done so, what strategy or approach have you taken for employees who 
refuses to setup MFA on personally-owned devices?

 

Thanks in advance!

16 Replies
CraginS
Defender I

RSA SecurID or a competitive One Time Password (OTP) system.

I realize this is more costly than sending codes to personal devices, but I believe it is a very legitimate to refuse to use personal devices for office work. Enterprises should step up to the plate and accept the  costs of doing business without trying to foist business use onto personal devices.

 

Craig

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
CISSP-Surf
Newcomer II

Greetings Craig,

 

Thank you very much for your time, reply, and recommendation! I think you have a good point regarding the legitimate refusal to use personal devices for office work. Enterprises should indeed look to step up and make available acceptable options as security needs change & arise.

 

Thank you for your insight and reply!

tmekelburg1
Community Champion

We're going through that process now but applying MFA for VPN access. Basically it was either install it for remote access or don't. If you don't install the app you lose remote access and have to come into the office to work. 


JKWiniger
Community Champion

@tmekelburg1 I agree with this approach. What it really comes down to is if the company deems it wants to go with MFA to increase security, either for compliance reasons or just to enhance their security then that is what happens. A policy is made and it gets implemented. The use of a personal devices varies from company to company, some pay for the device and the bill others do not. I think it really comes down to how much the device would be used for company business. One could argue that your boss couldn't call you on your cell because that would be using it for business. It's all a matter of where you draw the line.

 

I think what is really needed to find find out why people object to is and asking them what solutions they would suggest. You can come up with a lot of different solutions but if you don't communicate that this is now required and work with them to negotiate an acceptable solution or compromise you might just end up going in circles, but if the end, this is our policy, then end!

 

I would like to know what other think about this, a level of acceptance is always needed but there are always those who just try to refuse changes and sadly sometimes those people may need to find a different place.

 

Just my .02

 

John-

CISOScott
Community Champion


@CraginS wrote:

RSA SecurID or a competitive One Time Password (OTP) system.

I realize this is more costly than sending codes to personal devices, but I believe it is a very legitimate to refuse to use personal devices for office work. Enterprises should step up to the plate and accept the  costs of doing business without trying to foist business use onto personal devices.

 

Craig


We also did what Craig said. Used a hardware based token set up for use with our MFA system.

I will partially disagree with Craig on one point. I can agree against making them use their personal device to perform work on, like checking email, etc. but I do not see using a personal device for MFA as intruding on to their personal ground too much. I personally know of several other sites that require me to use MFA solutions like Google authenticator to access their websites. It is not that burdensome of a process. We will probably disagree or say that it opens Pandora's box of what comes next. First MFA then what? but this is just my 2 cents (opinion).

CISSP-Surf
Newcomer II

Greetings tmekelburg1,

 

Thank you for your time and response. I appreciate you sharing your current situation applying MFA for VPN access and your approach to install it for remote access or not have the ability to utilize those technologies. I'm in 100% agreement with you from this perspective for sure. Thanks again!

CISSP-Surf
Newcomer II

Greetings John,

 

Thank you for your time, response, and feedback. I think you hit the nail right on the head regarding having a clear policy in place and implementing. As you've mentioned, it comes down to how often the device would be used and where that line is drawn. I think organizations have been taking full advantage of BYOD and to properly manage and maintain the right level of security for these new "enterprise devices" a policy must be in place and communicated effectively.

 

Also as you've suggested, I did reach out to some users to better understand their resistance as well as fully explain why enabling MFA has become a standard best practice. The main points I shared include: 1) enhances security to their accounts; 2) informs them of unusual activity of someone trying to gain access to their account to access compnay data or send/receive information on their behalf without their knowledge.

 

I did offer the option to carry around an additional hardware authentication device (i.e. Yubikey) and that idea was less received than utilizing one's own mobile device for MFA setup.

Again I think you are absolutely correct, along with clear policy messaging, some level of acceptance is required but also an additional option may be needed or provided for the small percentage who's unwilling to use personal devices for business use.

 

Thanks again for your time, response and feedback!

Nick

CISSP-Surf
Newcomer II

Greetings CISOScott,

 

Thank you very much for your time and feedback. I truly appreciate you sharing how you and your team used a hardware based token for use with MFA. I definitely think it's the way to go! I think it is definitely our responsibility to ensure staff members know exactly how the process works and the reasons behind our push as a top priority as workers access the organizations data from any location.

You also bring up a great point on how several other sites require the use of MFA for example most if not all banking access will require some form of additional authentication, or even big brand corporations especially after an incident occurs; the first thing they would recommend is to enable MFA for the best protection against unauthorized access. This is certainly credible information which can be used to enhance those necessary one on one conversations.

 

Thanks again

 

Thank you very 

JKWiniger
Community Champion

@CISSP-Surf I just feel like making a stronger point of getting their ideas. I think we have all run into situations where people simply do not like our solutions to things, and it's easy to say you don't like something but when you ask, well how would you do it, or what is a better way since you don't like mine people tend to be more agreeable because then they have to think about it and often don't have an better ideas.

 

I have always found it interesting how fast people who do not try criticize those who do!

 

John-