Using personal phone number for user identification to access company files

MaLiYa

Recently our company email system got hacked. It was decided that multifactor identification be introduced. We were told that, in addition to our username and password, we had to use a phone number to validate access to our company filesharing system. This filesharing system is hosted by Microsoft and consists of the likes of SharePoint, Teams, OneDrive and other similar platforms.

So I clicked on the link we were given and followed the instructions. Microsoft gives options to use a landline, mobile or app as part of the identification. I couldnt use my work number as this will be answered by a receptionist who won’t know what the automated call is about. I have an extension but this wont work with this verification system. I dont have a work mobile nor do I want one and I didnt want to use my personal phone as I want to keep that number exclusively for non-work stuff. Used a colleagues mobile number but it turned out that I was being logged out of almost all applications and when I needed to verify my identiy, he was getting calls and had to press the hash key on the phone to verify. He wasnt long getting tired of it so I just decided to use my own personal mobile number for the sake of convenience so now if I need to verify my identity, a text is sent to my phone and I have to enter a code on the computer.

Whats the deal with this in terms of GDPR. As a matter of principle, I dont like the idea of a company in a way enforcing us to use our own private details to make our work lives easier. I know its only a small thing but I like to keep my own private number private.

Marcusm

Then don’t access work email except while on the offficeLAN.

MaLiYa

Even when on LAN, I can get logged out now and again. Or maybe not logged out. For example, I saved a word file as a pdf and it asked for identification.

antix80

Simple solution. Dig out an old phone.
Keep the phone with your work stuff (charging on your desk or in your laptop bag)

It's not that complicated.

As you posted this in legal discussion...

"i dont have a work mobile nor do I want one"

It would be reasonable to use a work phone during working hours if requested by your employer and if they provided it.
No legal issue there.

As for gdpr.. If you provide your personal number and microsoft only use it to text you a validation code there's no gdpr issue.

Heebie

If it's all Microsoft crap software, can't you use Microsoft's authenticator app?
That wouldn't require using your phone number. (although it would still involve infecting your phone with crappy Microsoft malware)

whippet

Heebie wrote: »

If it's all Microsoft crap software, can't you use Microsoft's authenticator app?
That wouldn't require using your phone number. (although it would still involve infecting your phone with crappy Microsoft malware)

It’s not about MS being crap .. it’s company policy to enforce two factor authentication for security etc. If anything it is best practice.

The only limiter is the OPs refusal to allow this 2FA to use his mobile number. While the OP is entitled to dig their heels in it that is a matter for them and the company.

There is no GDPR issue here - which for some reason seems to be the go-to claim when ever someone is unhappy with anything IT or data related.

While I can’t for the life of me understand why the OP won’t use their phone number to facilitate better security it is their decision. What it will boil down to is how willing the organisation is to find another solution solely for this one employee and how much that employee is really valued.

Glass fused light

whippet wrote: »

It’s not about MS being crap .. it’s company policy to enforce two factor authentication for security etc. If anything it is best practice.

The only limiter is the OPs refusal to allow this 2FA to use his mobile number. While the OP is entitled to dig their heels in it that is a matter for them and the company.

There is no GDPR issue here - which for some reason seems to be the go-to claim when ever someone is unhappy with anything IT or data related.

While I can’t for the life of me understand why the OP won’t use their phone number to facilitate better security it is their decision. What it will boil down to is how willing the organisation is to find another solution solely for this one employee and how much that employee is really valued.

I don't see it as a GDPR issue either.

However I disagree that an employee should have to use a personal device, has after all it's about how linked does a person want their personal devices to their work life.

There is the Red Flag/O'Brien development where individual employee's personal tech was targeted. The question is how much risk would attach to the employee and their personal devices in litigation claims or other legal cases, (and how legal their personal life footprints are).


The company are introducing a system but are not willing to fully finance the hardware needed to run the system. They have decided to oblige their employees into providing the hardware needed with no alternative workaround for anyone.

I have found that with some companies the creep and bluring of work costs and personal equipment is at times senior management not accounting for the economic impact this pushes back onto lower paid staff.

The suggestion that a company would constructively dismiss or outright sack an employee underlines the responsibility for organisations not to build policy, process or proceedures on infrastructure they are not willing to finance.

whippet

The OP has clearly stated he wouldn’t take a company phone. So that is a mute point.

There is no chance of a personal phone being ‘hacked’ if it is used for 2FA ... that is just tin foil hat stuff.

2FA is becoming standard and unfortunately the OP seems to not want to move with the times and generally employees who don’t want to evolve tend not to progress either

Glass fused light

whippet wrote: »

There is no chance of a personal phone being ‘hacked’ if it is used for 2FA ... that is just tin foil hat stuff.

I never suggested that the personal phone can be hacked?

whippet wrote: »

The OP has clearly stated he wouldn’t take a company phone. So that is a mute point.
...
2FA is becoming standard and unfortunately the OP seems to not want to move with the times and generally employees who don’t want to evolve tend not to progress either

My point was that the company need to make company tech work as a standard within the setup. So a company work number needs to be standard issue if they are going down a route of needing a phone to log on to the system.

The onboarding should have been "here is the new system and here is the direct dial number or new mobile phone".

Onboarding new methods of doing things is always a pain and why user acceptance or what ever the new buzz word is so important. And it's usually the 2 or 3 key employees who can't be given the corporate boot in the ass that are the "late adapters". And as they are key they can get special adaptations written in to the process and that can lead to a whole other world of political one-up-manship.

That the landline can't be used is an on-boarding / implementation design flaw in the process. In this instance the reconfiguring the phone system, giving people a direct dial number would have knocked the receptionist out of the loop and the excuse off the table. Ditto if you get a laptop you get issued with a mobile phone too.

On a security level the OP tried to put in their own workaround using other staff's mobile numbers. In doing so removed the benefit of the 2 part authentication. Introduced risk of the other employee being accused of accessing the system via the OP's ID. So why did the system allow two employee IDs to use the same mobile number.

blackbox

Why won't you take a company phone?

whippet

blackbox wrote: »

Why won't you take a company phone?

some people are funny like that

In my experience people who don't want company phones are the types who will do what they have to do as part of their job description - nothing more nothing less and generally show little ambition

antix80

whippet wrote: »

In my experience people who don't want company phones are the types who will do what they have to do as part of their job description - nothing more nothing less and generally show little ambition

Depends on the company and the job really. In my current job I'm contactable by clients so I use a work phone which I can divert or leave in the office when on annual leave or otherwise unavailable. In previous jobs I didn't have a work phone because only a few colleagues would need to contact me and there was no benefit to having a separate phone just for that.

In op's case, it's simply a case of installing an app on their personal phone that pops up a message only when the op is at work and tries to log into sharepoint. I don't think it's necessary to have a separate phone just for that - but as I stated it would be very easy to pick up an Android and keep it with the work laptop just for this purpose. I'm sure the employer has a few old work phones with smashed screens lying around.

Ger Roe

whippet wrote: »

some people are funny like that

In my experience people who don't want company phones are the types who will do what they have to do as part of their job description - nothing more nothing less and generally show little ambition

That's one broad assumption, even if it is your own experience.

I once refused a company phone because I had witnessed how a senior manager in a household name big corporation abused his position with them. He lived in his office and would often not leave until 10pm or later (he was being extremely well paid and retired very early with a big nest egg), I often saw him call other employees at that hour and later, to ask non urgent questions that could easily have waited until the morning. He did it out of pure malice, to keep them on their toes and to let them know who was boss. He would say as much while he was making the call.

He burnt through staff that way, by putting pressure on them late at night and disrupting their ability to sleep. When they failed to respond accordingly they were classed as wimps and passed over. I refused to take a company phone but told him that I was always available on my personal mobile or landline, in cases of urgency - but it better be urgent. I did respond to genuine urgent and emergency calls, some well after midnight, but they were very few and far between and always did require an urgent response.

I wasn't playing the' keeping them on their toes' game, but I regularly went above and beyond my job description and had lots of ambition. I would share the OP's wish to keep work and home life separate, particularly if the tech devices of the modern workplace are used deliberately to erode the required distinction.

whippet

Ger Roe wrote: »

That's one broad assumption, even if it is your own experience.

I once refused a company phone because I had witnessed how a senior manager in a household name big corporation abused his position with them. He lived in his office and would often not leave until 10pm or later (he was being extremely well paid and retired very early with a big nest egg), I often saw him call other employees at that hour and later, to ask non urgent questions that could easily have waited until the morning. He did it out of pure malice, to keep them on their toes and to let them know who was boss. He would say as much while he was making the call.

He burnt through staff that way, by putting pressure on them late at night and disrupting their ability to sleep. When they failed to respond accordingly they were classed as wimps and passed over. I refused to take a company phone but told him that I was always available on my personal mobile or landline, in cases of urgency - but it better be urgent. I did respond to genuine urgent and emergency calls, some well after midnight, but they were very few and far between and always did require an urgent response.

I wasn't playing the' keeping them on their toes' game, but I regularly went above and beyond my job description and had lots of ambition. I would share the OP's wish to keep work and home life separate, particularly if the tech devices of the modern workplace are used deliberately to erode the required distinction.

To be fair that is an exceptional case .. and more a reflection of a man individual rather than the norm. I’ve had a company issued phone for the last 15 years and it’s also my personal phone .. I’ve never experienced anything like what you have described.

Glass fused light

whippet wrote: »

some people are funny like that

In my experience people who don't want company phones are the types who will do what they have to do as part of their job description - nothing more nothing less and generally show little ambition

Thinking that not wanting a mobile phone shows a lack of ambition is tied into the idea that the employee must be available 24/7.

In the OPs post there is nothing to suggest they have a business need for a work phone. They appear office based and the IT upgrade failed to facilitate people who were office based and without a work mobile phone. That's a basic planning failure and an implementation failure on behalf of the IT management.


If a person is office based what business need is there for a work mobile phone?
There are very few times when proper planning results in a businesses needing to contact office based people out of hours.

And as I remind people, your hourly rate is the salary / actual time you are working for the organisation. By working unrecognised and unpaid overtime an employee gains very little. Your much better off going in to the boss/manager at 4ish each day and giving a status update before asking if there will be anything that needs "emergency" cover. That would be more memorable at review time rather the random afterhours calls which become the new "standard" work time.

whippet

A few posters here seem to be talking like they are reading out of text books.

The vast majority of businesses in Ireland are SME and the reality of the workplace is completely different to hope people seem to think it should work.

Flexibility works both ways and when used correctly both the organisation and employees benefit.... it’s a cultural thing and across my 20 odd years in industry I can say that people who are not flexible tend to get left behind when times are good and are first to be let go when times get tough .. but what would I know .. it’s been a long time since I had to remember answers from basic business and HR text books

irishfire

I think there is a lot of talk here about something very small, OP has the choice of either recieving an SMS when they are logging in or doing something sensitive (password change etc) or else use the Microsoft Authenticator app to get these as push notifications which they accept. If you have an issue with the app then you can use the SMS's, no app, no data usage, nothing. From memory not even the IT admins can see what number you have registered for 2FA unless it's also in the company directory, so your personal mobile number can't be released mistakenly within the company.

In the event your account is compromised and malicious activity carried out under your name, would you be taking responsibility
OP? I would imagine not.

In fact, if I had a user that willingly used another users number to setup their 2FA I would be reporting both of them to HR for circumventing security procedures, and I would have the full support of our management on that decision.

I find that office based staff are actually more important to have 2FA/tighter security as they usually have greater access to sensitive information by virtue of the fact that they are office based and it is taken that they won't be using their account outside the office, which may be the case, but usually the facility is still there and presents a vulnerability.

If anything this is a benefit to you, as you will know if someone tries to use your account maliciously, by virtue of an SMS that you can follow up on. I have often witnessed data losses resulting from repeated access to a compromised account over periods of months or years.

Also agree with other posts about flexibility. From first hand experience, receiving a text on a personal mobile every so often is the very thin end of what some people are willing to accommodate. If that's an issue for someone I would be overlooking them on a multitude of other things, purely because I know it isn't worth the hassle.