SAP Concur Authenticator App? How to avoid using my phone?

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
38,822
Hey, has anyone figured this out?

I have never run into anything called an "authenticator app" before, but all of a sudden SAP Concur is forcing this on me.

I'm not about to install some random app on my personal phone.

Has anyone figured out a way to get their 2-factor authentication to work without using a cellphone app?

Options are to either scan a QR code (which I will not be doing) or to set up manually with a key, but there are absolutely no instructions as to what this key is or what I can do with it.

Anyone know of any non-phone app options here?

It's absolutely ridiculous that they don't offer an SMS or Phonecall or even an email option.

Are there any authenticator apps that are trustworthy that will run on a PC?

I'd appreciate any suggestions from anyone in the know!
 
Last edited:
Freaked out for a second, but doesn't apply to me, SSO FTW. The videos on their site make it pretty clear, can use microsoft/google authentication or whatever you want. It's just qr based 2FA. There's extensions for browsers on the computer for the same. Heck Bitwarden and I think a few other vaults offer all in one storage.

Despite being a bit warden user I personally use Microsoft's authenticator for all of my 2FA. Ymmv.

https://community.concur.com/t5/Sup...t-Up-Two-Factor-Authentication-2FA/ba-p/60990

Oh and text/phone call based 2FA is not safe and weak as hell. Numbers can be spoofed and routed. Your phone number is as valuable as your SSN and DOB these days because of that.
 
I'm not about to install some random app on my personal phone.


It's absolutely ridiculous that they don't offer an SMS or Phonecall or even an email option.
If work requires you to use a phone app then they need to supply the phone it runs on. Much as work says their is stuff, read laptop, is not not for personal use I say my phone is not for their business use. Yes, it is sometimes a PITD to carry two phones. I also never have to worry about my phone getting remote wiped. Business and personal do not mix, ever! As kydsid said, sms based auth is WAF and should be avoided.
 
Hey, has anyone figured this out?

I have never run into anything called an "authenticator app" before, but all of a sudden SAP Concur is forcing this on me.

I'm not about to install some random app on my personal phone.

Has anyone figured out a way to get their 2-factor authentication to work without using a cellphone app?

Options are to either scan a QR code (which I will not be doing) or to set up manually with a key, but there are absolutely no instructions as to what this key is or what I can do with it.

Anyone know of any non-phone app options here?

It's absolutely ridiculous that they don't offer an SMS or Phonecall or even an email option.

Are there any authenticator apps that are trustworthy that will run on a PC?

I'd appreciate any suggestions from anyone in the know!
Putting it on your computer and not using your phone kind of nullifies the security benefit of having rolling code 2FA. This is something you should already be using personally where possible. I have been using the Google Authenticator App for years with my Twitch, Discord, Coinbase, etc To keep work separate from personal i have Microsoft Authenticator app for work stuff.

If work requires you to use a phone app then they need to supply the phone it runs on. Much as work says their is stuff, read laptop, is not not for personal use I say my phone is not for their business use. Yes, it is sometimes a PITD to carry two phones. I also never have to worry about my phone getting remote wiped. Business and personal do not mix, ever! As kydsid said, sms based auth is WAF and should be avoided.
This is not true. They only have to pay out if your personal phone is needed to perform the job. So if your required to make and receive calls, texts, chats to do your job. A 2FA app doesnt tick that box and youd be seriously at a disadvantage to fight it. Its a simple app that has rolling codes. You open the app it has the code, you type it in. No fuss, no bs, no remote wipe.
 
This is not true. They only have to pay out if your personal phone is needed to perform the job. So if your required to make and receive calls, texts, chats to do your job. A 2FA app doesnt tick that box and youd be seriously at a disadvantage to fight it. Its a simple app that has rolling codes. You open the app it has the code, you type it in. No fuss, no bs, no remote wipe.
It is absolutely true. It's your phone and your employer cannot require you to install a third party app on your phone. The best method is simply I don't have a mobile. You lacking the ... tenacity to push the issue is a you problem. I can't speak for small shops but most large companies will also insist on installing MDM once you install a corporate app so they can push updates. Once that happens they can, and generally will as matter of policy when you leave, remote wipe your phone they can also have policies that can prevent from fully backing up your phone. You're free to do you and bow down to your corporate overlords.
 
It is absolutely true. It's your phone and your employer cannot require you to install a third party app on your phone. The best method is simply I don't have a mobile. You lacking the ... tenacity to push the issue is a you problem. I can't speak for small shops but most large companies will also insist on installing MDM once you install a corporate app so they can push updates. Once that happens they can, and generally will as matter of policy when you leave, remote wipe your phone they can also have policies that can prevent from fully backing up your phone. You're free to do you and bow down to your corporate overlords.

Employment issues like this depend on where you live and who you work for, could go either way. More importantly with SAP Concur it doesn't matter as your employer has complete and total control of your account. This 2FA is just for your ability to login to your employer account in the SAP system. And more importantly it is in the employee's interest to secure this account as Concur accounts have everything needed to fly, so all the good PII, that you definitely don't want to get out. So fight all you want but I'd take the road of securing the account first then fight.
 
Its a simple app that has rolling codes. You open the app it has the code, you type it in. No fuss, no bs, no remote wipe.

I don't trust them. The sole purpose of "apps" is to harvest your data. You are the product.

I put a freeze on my apps in 2017. I figured I can't undo the damage that had already been done, but I can avoid making it worse.

Since then I don't install apps, period. No functionality, no matter how great, will change my mind about this.

I have not created an account with any new service, or installed an app from any developer since then, and I am not going to change that now or ever.

That includes authenticator apps.

I purged all apps I had installed on my back in 2017, except for a select few I decided I really needed, and decided then and there I would never install a new app or create a new account no matter what.

I want no more spyware in my life than absolutely necessary.

I personally use strong passwords (randomly generated) unique for every system I use, and I have trained myself to never ever click links in emails or text messages, so for me 2FA/MFA is a complete waste. It adds no security at all.

I understand with the lowest common denominator morons out there why MFA needs to be rolled out across organizations, but personally it adds no security benefit for me at all, and I avoid enabling it at almost any cost.

If I can't figure out a way around this, I guess I'm not using concur anymore, and if that becomes a problem at work, I guess I'll have to find another job.

There is no way in hell I'm installing an app on my phone for this.
 
Last edited:
It is absolutely true. It's your phone and your employer cannot require you to install a third party app on your phone. The best method is simply I don't have a mobile. You lacking the ... tenacity to push the issue is a you problem. I can't speak for small shops but most large companies will also insist on installing MDM once you install a corporate app so they can push updates. Once that happens they can, and generally will as matter of policy when you leave, remote wipe your phone they can also have policies that can prevent from fully backing up your phone. You're free to do you and bow down to your corporate overlords.
Tenacity? It seems more like petty imo. If you really want to die on the hill of refusing to install a free app that costs you zero money nor does it use any of the services on your device that cost money then knock yourself out. How are they going to insist you join MDM with authenticator? Its not a corporate app and is freely available on all of the app stores.

I don't trust them. The se.phrpose of "apps" is to harvest your data.

I put a freeze on my apps in 2017. I figured I can't undo the damage that had already been done, but I can avoid making it worse.

Since then I don't install apps, period. No functionality, no matter how great, will change my mind about this.

I have not created an account with any new service, or installed an app from any developer since then, and I am not going to change that now or ever.

That includes authenticator apps.
I can tell you first hand Google/MS authenticator apps dont harvest anything but youve already stated that nobody is going to change your mind on this falsity. If you think thats the case though then if you install one on your PC are you really preventing them from harvesting your data?
 
I personally use strong passwords (randomly generated) unique for every system I use, and I have trained myself to never ever click links in emails or text messages, so for me 2FA/MFA is a complete waste. It adds no security at all.

Let's say you use random ASCII generated 32 character passwords. That is plenty strong enough. But 2FA would add security. It's just not true it won't.

I cannot see how the authenticator apps are of any concern. The main ones are giveaways from the large companies. The app itself is innocuous.
 
I can tell you first hand Google/MS authenticator apps dont harvest anything but youve already stated that nobody is going to change your mind on this falsity.

Based on what? Prove it?

The assumption is that every single app and every single account collects and sells data these days. If one doesn't, it is a shocking outlier.


If you think thats the case though then if you install one on your PC are you really preventing them from harvesting your data?

I'll have to make sure there is nothing to steal. A dedicated VM with nothing else on it should do the trick.
 
Let's say you use random ASCII generated 32 character passwords. That is plenty strong enough. But 2FA would add security. It's just not true it won't.

Could you describe the attack vector? I'm open to learning new things I haven't thought of, but I just can't think of any.

If passwords are strong and unique to every account, then the only way someone will be logging in with one of your passwords is if they either phished you, or if they stole it from the site it is being used on.

The former doesn't happen, since I never click links in emails or text messages. I have trained myself to open sites manually even when I am certain the email is legit.

If the latter happens, then the site is compromised already anyway, so what good is MFA going to do?

I feel like the only reason we need 2FA/MFA is poor security hygiene from the lowest common denominator morons. Those of us who do things right simply don't benefit
 
Last edited:
Based on what? Prove it?

The assumption is that every single app and every single account collects and sells data these days. If one doesn't, it is a shocking outlier.
Based on packet captures and deep packet inspection. I dont have any care to prove anything to someone whos telling me they refuse to change their mind.

There are alot of apps out there that dont collect data but like you said before, your mind is unchangeable.
 
Well, that was a pain in the ass, but at least I think I understand how it works now.

There is no network traffic (unlike what I expected) The 6 digit code is generated crypto graphically based on the time and the added key.

That part would have been good to know before. I had never run into an authenticator app before.

I had previously been under the impression that the site itself created a code and transmitted it, not that it could be generated locally. In a way, it is not entirely like those little digital fobs we used to authenticate with our banking sites back in the 90's.

Either way, I tried many things. In the end what I got to work was Running Android Studio's Android emulator, side loading the Google authenticator app (so I didn't need to log in with any account) and then using that to generate the digits. Major pain in the ass, but at least now I have a phone-free solution I am happy with.
 
I had never run into an authenticator app before.

How have you been using any of your Office apps without an authenticator app, are they calling or texting you? I'd recommend not using calling or texting as MFA option for accounts, that's just an invite to get SIM swapped now.
 
How have you been using any of your Office apps without an authenticator app, are they calling or texting you? I'd recommend not using calling or texting as MFA option for accounts, that's just an invite to get SIM swapped now.

I don't recall ever having to use MFA for office. For home, I have old non-365 versions of office, but I rarely use them. For what I do at home, LibreOffice is fine.

I generally avoid anything and everything cloud, and refuse to even have a Microsoft account, or any kind of syncing between devices or browsers. I have all that shit disabled on my phone too.

For work, I honestly can't remember the last time I had to sign in to anything, other than logging in to windows on my work laptop, and that doesn't require any MFA. It would drive me up a wall if it did. Maybe they have it set up via SMS? I honestly can't remember. It has probably been years since I signed into anything. I've had to update my password a few times, but that's just the same old active director drill. I don't recall it triggering anything MFA.

CTRL-ALT-DEL, change password, move on with life.

I'm in non-software product development startup land. We don't have fancy validated software systems, issue trackers, or really databases for anything.

I work on local copy files on SMB/CIFS shares like it is 2005. When I make a change I save as, and manually increase the revision number, and add my initials to the end of the file name. I also enable track changes. And I like it that way. I don't like any of the modern cloud enabled collaboration crap. It just seems designed to make my life harder.

I absolutely HATE HATE HATE multiple people being able to edit the same document at the same time. I want everything to be static and controlled.

Up until a few months ago we had an IT department of one guy, who isn't even local on site. Then they hired a guy to help with helpdesk stuff. We are small. We very well may be behind the curve on many things, and that suits me just fine. AS far as I am concerned, everything after ~2010 or so has just been negative.

At this point if I had to change, I'd probably quit. I really don't want any of the "innovations" since ~2010.

We hit peak PC in 2007-2010 some time. I'll take faster CPU's/GPU's faster and larger drives, more cores, etc. etc. but I flat out do not want any of the changes in software since then. I want and expect everything to work as it did in 2010 before the whole tech world lost its goddamned mind.
 
Last edited:
Passwords are becoming irrelevant.
Computing power is to the point where complex passwords with long length can be broken easier and easier every day.
Ive told my people at work when they bring on a new hire, if the new hire isn't assigned a phone (only IT people get one) that their options are install our authenticator app, register a biometric key we assign, or find another job because they aren't getting on my systems without 2FA.
It's a condition of employment. Want to throw a tantrum about putting an app on your personal phone and don't want to use a biometric device that we know is secure, then you can work somewhere else. One compromised account can cost a company millions of dollars.
When we started rolling out 2FA several years ago, we had a lot of pushback because people didn't want to put an app on their phone because the company isn't paying for it. They learned the meaning of being a hypocrite when I blocked YouTube, Facebook, and Twitter and they said the only use that when they are at home.
So they think they can use company property for personal use but I want an app on their phone that rotates numbers.
We try to teach our users the benefits of using 2FA in their personal accounts too.
If you think not signing up for a service or installing an app is stopping companies from being able to track you, I have bad news for you. If you are on the Internet, you can be followed, tracked, databases built about you, marketing records created to track you.
Your only option is to never use the Internet if you don't want to be digitally tracked
Stick your head in the sand and ignore reality all you want, but the digital world is advancing and you can't stop it. You can only try to keep up and adopt the safest practices.
 
Passwords are becoming irrelevant.
Computing power is to the point where complex passwords with long length can be broken easier and easier every day.
Ive told my people at work when they bring on a new hire, if the new hire isn't assigned a phone (only IT people get one) that their options are install our authenticator app, register a biometric key we assign, or find another job because they aren't getting on my systems without 2FA.
It's a condition of employment. Want to throw a tantrum about putting an app on your personal phone and don't want to use a biometric device that we know is secure, then you can work somewhere else. One compromised account can cost a company millions of dollars.
When we started rolling out 2FA several years ago, we had a lot of pushback because people didn't want to put an app on their phone because the company isn't paying for it. They learned the meaning of being a hypocrite when I blocked YouTube, Facebook, and Twitter and they said the only use that when they are at home.
So they think they can use company property for personal use but I want an app on their phone that rotates numbers.
We try to teach our users the benefits of using 2FA in their personal accounts too.
If you think not signing up for a service or installing an app is stopping companies from being able to track you, I have bad news for you. If you are on the Internet, you can be followed, tracked, databases built about you, marketing records created to track you.
Your only option is to never use the Internet if you don't want to be digitally tracked
Stick your head in the sand and ignore reality all you want, but the digital world is advancing and you can't stop it. You can only try to keep up and adopt the safest practices.

this is an incredibly easy problem to solve with no need for 2FA.

Just introduce a forced delay between logon attempts. Stuff like Fail2ban, but there are many alternatives. Even as little as a second or two is sufficient to make any brute force method practically ineffective. It doesn't matter how powerful of a computer they have on the other end, if they are only allowed one attempt every couple of seconds.

Unless - of course - they are already in your system and have some for of local copies of something allowing them to bypass this restriction, in which case you have already lost anyway.

It is trendy right now to consider 2FA/MFA as the only solution to security, but nothing could be further from the truth, and quite frankly it is getting rather old.

While forcing employees to use their own devices for company purposes may me a violation of employment law in some states (you should maybe talk about this policy with your HR people, you may at the very least have to offer employees financial compensation for the use of their devices depending on where you are), I don't personally have a problem with it as long as these policies are made abundantly clear to all potential applicants early on in the interview process so you aren't wasting their time. And don't surprise existing employees with new requirements either.
 
this is an incredibly easy problem to solve with no need for 2FA.

Just introduce a forced delay between logon attempts. Stuff like Fail2ban, but there are many alternatives. Even as little as a second or two is sufficient to make any brute force method practically ineffective. It doesn't matter how powerful of a computer they have on the other end, if they are only allowed one attempt every couple of seconds.

Unless - of course - they are already in your system and have some for of local copies of something allowing them to bypass this restriction, in which case you have already lost anyway.
2fa is for if someone already has your password. Fail2ban does nothing here. In your scenario if someone has your password you've already lost. Guess what, if you have 2fa and they have your password but don't have your phone then they don't get in. How is that a loss?

I get it that your personal practices likely make you much more secure then the average user, but you seem to be ignorant of the fact that other people aren't as secure as you and that is why things like 2fa are pushed.

I completely agree with a lot of what you are saying but to say something like Fail2ban is a replacement for 2fa is ridiculous. They solve two completely different things.
 
2fa is for if someone already has your password. Fail2ban does nothing here. In your scenario if someone has your password you've already lost. Guess what, if you have 2fa and they have your password but don't have your phone then they don't get in. How is that a loss?

I understand that. It becomes a matter of trust. If people use proper security hygiene, no one will ever have their password.

I have strong passwords. No two passwords are the same anywhere on the internet or on local devices. I have trained myself to never click a link in a text message, email or any other messaging service (always open the web page manually and log in that way)

The chances of someone having my password are close to nil. At that point 2FA just becomes a nuisance.

I get it that your personal practices likely make you much more secure then the average user, but you seem to be ignorant of the fact that other people aren't as secure as you and that is why things like 2fa are pushed.

I totally understand that. it is a least common denominator problem, and because most users - like most people - are total idiots, the rest of us have to suffer the mitigations for the poor practices of the morons.

I completely agree with a lot of what you are saying but to say something like Fail2ban is a replacement for 2fa is ridiculous. They solve two completely different things.

Well, I only brought up fail2ban as Lebowski used a brute force example. it is a very effective tool against brute force attacks, and one which I - quite frankly - don't understand why it isn't universally pre-deployed in every system that takes a password.

All of that said, 2FA solves the problem of someone else having your password, which could happen in a number of different ways. Brute force is one (which the likes of fail2ban completely addresses) but poor security hygiene (reusing passwords, using easily guessable passwords or security reset questions, etc.) and phishing/social engineering are two others which it does not address.

Security hygiene is just a matter of discipline and understanding. As - to an extent - is phishing and social engineering.

I fully recognize 2FA is necessary because most people are idiots. I still hate how it adds to the many inconveniences in my life. And I still will refuse to use my personal devices for 2FA/MFA on work accounts. Even asking for that is inappropriate, IMHO. If you as an organization want to enable 2FA/MFA (which is understandable) you had better provide the hardware, software and service to do so, or GTFO.

I'm not even asking for a company phone. I don't want one. I'd just keep them turned off and inaccessible from work. One of those old school pin pad fobs would do the trick.

1700348784002.png


There should always be a strict firewall between the personal and the professional. I'm never under any circumstance giving an employer access to (or knowledge of) my social media or other online activities either. Some things are just off limits, and should just be off limits.
 
Last edited:
There should always be a strict firewall between the personal and the professional. I'm never under any circumstance giving an employer access to (or knowledge of) my social media or other online activities either. Some things are just off limits, and should just be off limits.
100% this ^^^^^^^. I carry two phone and two laptops. When I work from home the company laptop is on its own, wired, network cannot talk to the rest of my network and my devices can't talk to it. When I'm at work my laptop is tethered to my phone. Do not cross the streams!!!
 
fail2ban isn't the answer and it would not stop brute force or stuffing, nor is rate limiting to credential stuffing. It isn't as if the attacks come from one IP. fail2ban is a panacea. good practices should take care of everything before fail2ban comes in, it just adds layers. And I say this from the standpoint that I use fail2ban at home. But lets say my bank used it, I'd close my accounts and go to another bank.

Physical keys still exist, and are past TOTP too! I'd love to see FIDO2 more widespread with physical key requirements.

Passwords and even TOTP really are passe and need to be phased out entirely. I mean, when the U.S. Government identifies weak password and 2FA processes and starts moving to remove them from access privileges to their systems, you have to wonder if they are behind or are you?

All that said, complaining about SAP updating security is crazy to me when their documentation included browser and app based authentication instructions. It's a high value target with high value information in their system. IMHO TOTP 2FA and passwords aren't even enough.
 
All that said, complaining about SAP updating security is crazy to me when their documentation included browser and app based authentication instructions. It's a high value target with high value information in their system. IMHO TOTP 2FA and passwords aren't even enough.

It was appropriate for them to update their security. The way they did it just kind of springing it on everyone just assuming employees everywhere would either have work phones, or be willing to install work stuff on their personal phones was the problem. I also understand that is partly the fault of our IT department, but we are a small startup with a one man IT department, so...
 
It was appropriate for them to update their security. The way they did it just kind of springing it on everyone just assuming employees everywhere would either have work phones, or be willing to install work stuff on their personal phones was the problem. I also understand that is partly the fault of our IT department, but we are a small startup with a one man IT department, so...

Ya if they didn't give a lot of heads up that sucks. And makes you wonder the root of the problem. They had quite a few phishing campaigns using spoofed concur emails this last summer. I wonder.
 
Think we found the real reason you're so against anything remotely modern when it comes to security.

No. My not wanting work shit on my personal devices does not have anything to do with my admitted relatively limited experience with modern security measures.

I'll admit to having limited knowledge when it comes to the how of these things, because I haven't used them yet. That knowledge comes with actual use

I still know I don't want even a single app on my phone I don't absolutely need, and I will never have one because of work.
 
No. My not wanting work shit on my personal devices does not have anything to do with my admitted relatively limited experience with modern security measures.

I'll admit to having limited knowledge when it comes to the how of these things, because I haven't used them yet. That knowledge comes with actual use

I still know I don't want even a single app on my phone I don't absolutely need, and I will never have one because of work.

You're way of thinking is archaic. You're opening yourself up to way too many security risks. Not wanting an app because it holds an OTP code for work? Really? The only thing worse than that is your desire to use SMS or a second factor. Worst possible 2FA ever. I constantly send emails that say "fix your shit" to any important websites I use that only have SMS as 2FA because it's completely insecure.

If you don't like the cloud then do it yourself. Bitwarden self host can do passwords and/or OTP. Aegis is an open source Android app that does OTP storage and only does cloud backup if you want it to otherwise backups are local only. Aegis is what I use and I love it. My Aegis backs up to my phones Nextcloud folder so it syncs back to my Nextcloud instance. Nextcloud has OTP apps for it as well if you go that route.

If you trust your <insert whatever company here> to do it 100% right well I have a bridge to sell you. I highly suggest you go do a very in depth read on the LastPass hack and everything they did wrong as the list is quite exhaustive and is STILL biting users in the ass. All of their mistakes have cost ~175 users about $40 million in cryptocurrency because their passwords are being cracked.
 
You're way of thinking is archaic. You're opening yourself up to way too many security risks. Not wanting an app because it holds an OTP code for work? Really? The only thing worse than that is your desire to use SMS or a second factor. Worst possible 2FA ever. I constantly send emails that say "fix your shit" to any important websites I use that only have SMS as 2FA because it's completely insecure.

If you don't like the cloud then do it yourself. Bitwarden self host can do passwords and/or OTP. Aegis is an open source Android app that does OTP storage and only does cloud backup if you want it to otherwise backups are local only. Aegis is what I use and I love it. My Aegis backs up to my phones Nextcloud folder so it syncs back to my Nextcloud instance. Nextcloud has OTP apps for it as well if you go that route.

If you trust your <insert whatever company here> to do it 100% right well I have a bridge to sell you. I highly suggest you go do a very in depth read on the LastPass hack and everything they did wrong as the list is quite exhaustive and is STILL biting users in the ass. All of their mistakes have cost ~175 users about $40 million in cryptocurrency because their passwords are being cracked.
Sorry, I guess the only cell phone I admit to having going forward for work is a non-app-getting flip phone, then. This idea that you as an employee are expected to provide control of personal devices to your employer is a level of 1984-level shit I don't want to be a part of, and I am in IT. There are, and always should be alternatives to requiring an app on a personal device. The value of MFA is undeniable. If the requirement is phone app only, then you better provide that phone. If you won't, then I will have a job someplace that will within a week. Good luck keeping top talent with that sort of attitude.
 
I decided to check it out. Unfortunately SAP / Concur is not listed on their website as a supported service.
Yubikey should work for SAP/Concur and also works with Microsoft. Office is now all cloud based, so there is no getting around the need for online accounts at the enterprise level. While I too miss the old days of everything not needing an account, those days are over, and there are some benefits with how the tools work together now. As for documents being updated at the same time, if you don't want to allow that use a document management system or workflows with check-in/check-out functionality.
 
Sorry, I guess the only cell phone I admit to having going forward for work is a non-app-getting flip phone, then. This idea that you as an employee are expected to provide control of personal devices to your employer is a level of 1984-level shit I don't want to be a part of, and I am in IT. There are, and always should be alternatives to requiring an app on a personal device. The value of MFA is undeniable. If the requirement is phone app only, then you better provide that phone. If you won't, then I will have a job someplace that will within a week. Good luck keeping top talent with that sort of attitude.

You haven't been paying attention to the BYOD way the world is going have you? And if the sword you're going to die on is over an app like Aegis having to scan a QR code to give you a 6 digit code then you're in for a rough time ahead I think as remote work continues to pick up steam (for better or for worse).

Now don't get me wrong. I'm not saying they should be able to install Intune and control your personal device. If they lock you into a specific app that you're not already using (MS O365 can do this with the MS authenticator and it's a god awful MFA app IMHO) then they should provide a device is asked. If they require you to have things like Outlook installed they should provide a device if the employee desires that.

I personally don't have a problem with adding another 6 digit code to my MFA app. It's a very small, minor, non-invasive thing that isn't worth fighting over or getting fired over.
 
You haven't been paying attention to the BYOD way the world is going have you? And if the sword you're going to die on is over an app like Aegis having to scan a QR code to give you a 6 digit code then you're in for a rough time ahead I think as remote work continues to pick up steam (for better or for worse).

Now don't get me wrong. I'm not saying they should be able to install Intune and control your personal device. If they lock you into a specific app that you're not already using (MS O365 can do this with the MS authenticator and it's a god awful MFA app IMHO) then they should provide a device is asked. If they require you to have things like Outlook installed they should provide a device if the employee desires that.

I personally don't have a problem with adding another 6 digit code to my MFA app. It's a very small, minor, non-invasive thing that isn't worth fighting over or getting fired over.
I use a Yubikey and it does well enough for all the current use cases and avoids personal phone apps. As for BYOD, for where I am that died off due to VDI / DaaS implementation being crap. As for "its only an app", an app that is in some cases rolled out bundled with things like MobileIron or Intune style remote management. I see forced crossover from professional to personal devices a slippery slope, so yea, I would likely take a stand. I already do not complain about data utilization (Comcast sucks) for WFH. That said, my manager would probably pay out of pocket to grab me a cheap android to throw the app on and be done with it.
 
Thing of it is, for sites that don't support yubikey etc., you already have something doing the TOTP for you. So the complaints about wah wah I don't want an app are very child throwing a tantrum-esque. I've not been at a company that pushes the app to me - they say "hey we need TOTP, use whatever you're already using and just add one more for this site". Two clicks and a QR scan code later and it's done.

We have exactly zero issue "keeping top talent" here. Zero. Most top talent (actual top - household names in infra, devops, security realms) don't give a shit and cry on the floor about asking to do 2FA via TOTP.

Edit: this is also side-stepping around the entire premise of Work Profile (on Android - I assume iPhone has similar but I don't have one so not sure).
 
Last edited:
Are there any hardware authenticator products, like the old keyfobs our banks used to give us back in the 90's?

In other words, that do the same thing as the authenticator in your phone, but fully separate? No network, no usb, no NFC just type in the key, and have it give you a six digit code when needed? I'd buy that. Typing in the key would be a pain, but that's a one time thing.
 
Are there any hardware authenticator products, like the old keyfobs our banks used to give us back in the 90's?

In other words, that do the same thing as the authenticator in your phone, but fully separate? No network, no usb, no NFC just type in the key, and have it give you a six digit code when needed? I'd buy that. Typing in the key would be a pain, but that's a one time thing.
The problem with the hardware tokens is that one token = one account. That said, there are issues with the soft tokens as well. I just ran into one a few minutes ago. Switching devices, read upgrading phone, resulted in the seed data being declared invalid and the app required me to delete all tokens and re-enroll them. Not an issue on the devices I control but, I could see where this would cause an issue for some people.
 
Back
Top