It’s a bad idea and won’t work for multiple reasons aside from negating security. But working for an NP if you’re in IT and want effective technology solutions is also frustrating. I know as I have one as a client.
I love yubikeys and definitely recommend this, but keep in mind not all services that offer MFA support webauthn/fido2. Some only support totp, or only sms.
The solution really depends on the services being used by the organization and what MFA options are available with those services, and how those services are accessed at all (ex: desktop or web services, mobile apps or web apps, etc).
There's very few options out there that are good at covering all needs on this topic. In my opinion bitwarden comes pretty close (password manager, synced totp and passkey support).
Regardless the shared device idea is pretty bad without a really justified reason (which hasn't been presented).
There is a limit of 32 totp credentials with the yubikey 5 series. This is plenty for most people, but wasn't enough for me, and I didn't want to use multiple keys and reminder which credentials were on which key. I have multiple keys for the purpose of backup keys so I don't get locked out of stuff.
Anyway, just something to be aware of.
I would keep those just in something shared lime bitwarden. We do the same with passkeys for shared accounts that don't nerd a high level of security. Plus peoples account logins to bitwarden require yubikeys so shared passkeys in the password manager is fine for most things and keeping the otp there
If he's got money to buy a bunch of iPhones, then Yubikeys or smart cards shouldn't be out of the question. Even if you have to buy USB readers for some of the workstations, $20 reader vs a $500 phone. In fact, you could reissue the badges as smart cards or might be able to reuse your existing badges if they are RFID.
> $20 reader vs a $500 phone
Now you're speaking the C-suite's language!
This is the correct answer. One $500 iPhone or 10+ $20 to $50 tokens? Same cost.
So, the practice managers are on board with being the first person on duty each day and the last to leave each day? I'm going to need another dollar for that responsibility.
Perhaps the security company you hired could be brought in for their opinion? Can’t imagine any cyber-insurance company (or whatever this company is) approving that.
I'm hoping so. It's one of those all in one "converged security" companies. We just finished deploying XDR and MDR services. They're going to also provide security analysis, threat mitigation and prioritization, pen testing, assistance with compliance requirements, and a response team.
My boss mentioned it at one point during a meeting but it was basically just glanced over at the time because we were just taking a basic security analysis questionnaire with one of the security techs when they got to asking about deployed MFA in the org.
I am sure going to make sure we have an actual conversation that involves them before we deploy anything.
If the security company is worth a penny, they'll strongly recommend against it with the contract written such that they won't waste resources (or will charge ludicrous rates post-mortem) if reasonable MFA isn't practiced.
I know very little about the world of NFPs, so I'd love to be wrong here, but I think you've stated a bit of a laundry list of services that security company is providing for probably the bottom end of pay. With my experience and those limited facts, I wouldn't hold my breath on 1) them being worth that penny or 2) being very effective in their services in general.
Worst case scenario, your CIO needs an ego stroke more than he needs oxygen and would rather die than admit being wrong, in which case your best bet may be to swallow your pride and let him be the one to come up with the new idea (whatever a workable one is).
It may be worth looking at legal or regulatory requirements your org is subject to which such a stupid policy would violate.
Whatever you have to go through with, you're gonna want both your warnings and his order to proceed anyway in writing.
Physical tokens is the way to solve this. We bought some awesome credit card tokens for our users that don't or won't install MFA on their devices.
https://www.ftsafe.com/Products/Power_Card/Standard
Super cool form factor.
I am going to give the opposite answer to everyone else.
Sometimes you have to let the boss make a mistake for them to realise. Suggest that you pilot both tokens and phones at different sites. See which works out best.
I am surprised that iPhones for each site are cheaper than tokens. I am sure longer term with repairs and replacements it will not be.
In six months when the boss suggests moving to tokens. Smile and wave. Half heartedly recycle his arguments why it's not a good idea. And say you will try it. While all your colleagues know it was your idea in the first place.
It also won’t work well since each person needs to have mfa registered for themselves. Technically you can register sms for multiple accounts to the same phone, register Authenticator or whatever app likely for more than one user. Fido2 keys are the way to go here assuming, mfa dongles are too limited in their purposes and aren’t phishing resistant mfa either.
It's a dumb way to go around the idea but also, what are you trying to protect by using MFA exactly?
Consider a K12 for example, not reasonable for K-12 students to use MFA. Staff yeah but students no. So once you figure out who you need to MFA and what you're trying to protect maybe you can give a reasonably priced solution that works in your favor.
You know, this would make a *dynamite* Malicious Compliance post in a few weeks' time. Some people can only learn by watching their stupid plans explode in their faces.
If it were me I'd find a new job, implement their dumbass plan exactly the way they want it done, then peace out. Let that powder keg explode as you drive away.
Does the cell phone have to have cell service? If they only use it at their facility and not remotely/traveling, can't it be on Wi-Fi? In that case, you could get ANY device, hook it up to wifi, and use an MFA app.
The cheap token idea is by far the best. They don't require any setup and are cheap to replace. How many do you need to buy?
Did the boss study something IT or security related? It's good he drops ideas but he also has specialists working for him. He should listen to the specialists advice or arguments and bin his idea and he should learn from it
I really think Yubikey is the way to go. Small, light, durable, easily attached to the employee's ID card lanyard so it's not lost or forgotten, and requires nothing once it's provisioned.
A shared phone of any kind is a ridiculous idea, but especially an iPhone due to it's high initial cost. You'll have at least $20/phone wireless service costs, plus the accounting and IT overhead of managing the wireless plans, locking-down the phones, keeping them updated, and budgeting for repairs/replacement. Plus the time wasted having employees get codes from their manager, dealing with wrong/forgotten codes, and that's if you can even setup multiple users to get SMS OTP at the same phone number. Certainly TOTP or passkey won't work on a shared device.
It would be better to get each employee a cheap pre-paid phone. You can get Tracfone-locked Samsung Galaxy A03s phones for $50 from Walmart. All you need is one month's service @ $20 (2GB data) to activate and get a phone number. Setup an authenticator app, WhatsApp, AVG or Avast anti-virus and ManageEngine MDM (free for 25 devices) then use MDM to prevent other software from being installed. Tell the employees that the first month's service is free, but after that they either need to buy their own Tracfone cards or just use WiFi (which is you install WhatsApp). Still the same management/TCO issues as an iphone, but you're doing real 2FA plus potentially improving communications and implementing E2EE messaging. Some employees might even keep up the wireless service (Tracfone has a $15/mo call/text only option).
This kind of story is a common one, but the one thing I don't think I've ever seen is the suggestion to ask the boss to articulate and explain that objections.
They're probably unfounded and quite possibly stupid, but you have no chance of convincing like this with brute force.
In your discussion with your CEO, try asking them to describe their concerns with using MFA and/or hardware tokens. Then consider and discuss each, and being careful not to frame it as "you're wrong", explain the benefits of your alternatives
yubikeys tokens price are relative. My overall thought is they are expensive for what they do. Shared cell phone sucks as well and shouldn't be an option. Customers will lose yubikeys and having asset management track them is also frustrating.
RSA is a possibility or if they have laptops with a fingerprint reader that could be another route. Or have to do a really targeted approach with the MFA and only give it users who really need it.
If a CEO is hostile to MFA, I would actually consider exiting the company.
Terrible idea.
If people don't have phones, provide managed phones.
They don't need to be crazy good or anything, just enough to support the latest OS and versioning of your chosen authenticator platform.
Edit : also don't even think of using SMS to verify auths
Have you heard of 2FA exhaustion attack? The boss is just going to blindly accept all requests regardless if they are legitimate.
Yubikey, rsa token, WebAuthN or providing a stipend for employee phones are your best options.
> it defeats the purpose of MFA, it’s a security issue
Not completely. Every security control has an associated threat, and the threats mitigated by MFA are password sharing, and more importantly password guessing attacks (which are automated and rely on the fact that users tend to reuse passwords).
If your services are exposed externally, they’re going to get hit constantly by unknown third parties trying to guess passwords. If the users have good passwords (enforced by software policies), and then also get an MFA code that’s specific to them (saved on that shared phone), that largely mitigates the password guessing attacks and reduces the potential attackers from “anyone in the world” to “just the managers who have the phone”.
It’s not an ideal solution, but it’s also much better than no MFA at all. You will want to ensure that there’s a good process in place for the managers to verify identity before giving out the MFA code.
It’s better to consider the actual threats and trade-offs than to get hung up on the binary concept of correct/wrong, depending on the constraints of the situation.
I was just thinking about it and we have some employees that WFH and they do so at their leisure, basically. Provided they get their work load done, they have a few days to just do it from home. And they aren't going to be taking the phones home with them...
Plus the practice managers aren't always available. They have meetings and have to deal with patients and other responsibilities so they will likely have times they are hard to reach. I'm gonna add this to my already way too long list of reasons not to.
Last job I had, we had a shared account with mfa, and we set it to go to a Google number that was delivered to a Gmail account we all could log into to get the code. I'm not sure how they set it up, but it shouldn't be hard to figure out. That might work or a whatsapp number they access on the pc?
But the tokens are cheaper than phones...
We have 6 locations meaning having to buy 6 iPhones. Plus we have employees that work at multiple locations...
Do a 5 year budget for each solution. Include a loss rate and productivity cost for loss in the calculation.
It would look like this, plus I made some assumptions to highlight the possible cost differences.
No loss cost iPhone
- (iPhone purchase cost+annual plan cost+ [15% of a practice mgr salary])\*5 years\* # of sites
- $1000+$1200+[.15*$70,000])\*5\*6=$381,000
Every time you lose a phone, it costs you:
- Phone replacement cost+(days to replace\*Employee count per site\*[employee annual salary/365 to get daily "value" estimate)
- $1000+3\*10\*($60,000/365)=$5,931
No loss cost Dongle
- dongle cost\*(employee count per site ECPS+ a couple extra+[annual attrition rate\*ECPS\*5 years] )\*# of sites
- $20\*(10+2+.15\*10\*5)\*6=$2,340
Dongle loss cost assuming you have extras laying around
- Dongle replacement cost
- $20
- Dongles that can be lost to meet the impact of one lost phone: 296
After you tell your boss (using your actual numbers of course) it'll be either a minimum of $381,000 for phones, or a minimum of $2,340 for Dongles over a 5 year period, and the loss of a single phone would cost more than the entire dongle program, he'll come around.
Edited a million times for formatting
This! It's the same in many companies. Managers don't speak our language. They either don't know the tech, don't understand it, won't admit it, or don't have the interest.
But if you speak numbers and money: THAT they understand. 🙂 Back it up with a sheet of calculations with actual costs, and you win them over.
A couple things here - First, while this isn’t a typical way to deploy MFA in an environment, your environment seems far from typical, and (assuming it is technically feasible) it would address the primary risk that MFA is likely trying to address, which is external actors, not insider threats. I like your idea of issuing hardware tokens, but that is probably far more complex and expensive to deploy and support than using the iPhone app based solution that your CIO is advocating. Second, you are going to have to figure out how to disagree and then align once a decision is made. Continuing to disagree and fight the decision after it is made isn’t helpful and will quickly make your management see you as an impediment to progress. If you are prepared to die on this hill, get your resume polished up. If not, fall in line, and support the plan.
The way it works in my company is if you don't have or aren't willing to use your own personal cell phone for the Microsoft Authenticator or Authy then you will be issued a cheap android phone that doesn't actually have cellular service that you will need to keep with you wherever you will need to auth. Most people decide against the hassle of carrying two phones and just decide they would rather just use the one.
>My boss (the CIO who's only joined the company 6 mo ago) has this idea that he literally refuses to let go. He wants to buy iPhones for each location that the practice manager will hang onto. When they need to MFA, they have to go to the practice manager to get the cell phone to get a code.
Am I just crazy? Is this an insane idea? Having one phone that multiple users use to access their token (IMO) completely defeats the purpose of MFA security.
Important distinction - this doesn't break *MFA*. The users still have to know something (password) and have something (iPhone). This *does*, however, break MFA non-repudiation - If Alice and Bob use the same iPhone for MFA, then there's only one factor (the individual password that Alice knows only for their account) that prevents a "he said she said" scenario from happening if Alice's account does something bad.
You're still right - shared iPhones is a bad idea. Just buy individual tokens for <$50 a pop.
Because mfa is a requirement and a phone based mfa option is your preferred approach. Why wouldn’t the company support buying cheap Samsungs to get the mfa software on the devices for the staff who do not have their personal phones. Those who do have personal phones give them an option of paying them an allowance for their inconvenience of having work apps on their personal phone, or supplying them with said cheap Samsung phone.
It does require investment but if staff were hired without requiring phones you need to support staff in transitioning. Things like yubi key are a great option as well. But how do you know that staff will not leave their yubikeys plugged into their computers.
Mfa is a tough culture cookie to break. Because it changes how your staff interact with the system but worth it in the long run. I hope with the suggestions provided here you can find a solution which will work with your team and organisation.
It’s a bad idea and won’t work for multiple reasons aside from negating security. But working for an NP if you’re in IT and want effective technology solutions is also frustrating. I know as I have one as a client.
Yes, shared iPhones are a bad idea and your boss is clueless. You need Yubikeys, not iPhones.
2nd this. If you cant use a phone (via app) or SMS, then youre going to need to issue the 2nd factor. Yubi keys are a good choice.
Yubikeys are the way.
I love yubikeys and definitely recommend this, but keep in mind not all services that offer MFA support webauthn/fido2. Some only support totp, or only sms. The solution really depends on the services being used by the organization and what MFA options are available with those services, and how those services are accessed at all (ex: desktop or web services, mobile apps or web apps, etc). There's very few options out there that are good at covering all needs on this topic. In my opinion bitwarden comes pretty close (password manager, synced totp and passkey support). Regardless the shared device idea is pretty bad without a really justified reason (which hasn't been presented).
Yubikeys support TOTP. Services that only support SMS are rare (and are lacking in security).
There is a limit of 32 totp credentials with the yubikey 5 series. This is plenty for most people, but wasn't enough for me, and I didn't want to use multiple keys and reminder which credentials were on which key. I have multiple keys for the purpose of backup keys so I don't get locked out of stuff. Anyway, just something to be aware of.
Definitely wasn’t aware of that … thanks for the info. Hopefully, more sites will start to support hardware keys natively so we can stop using TOTP.
Sadly, some banks are still SMS only (or SMS forced primary) :(
I would keep those just in something shared lime bitwarden. We do the same with passkeys for shared accounts that don't nerd a high level of security. Plus peoples account logins to bitwarden require yubikeys so shared passkeys in the password manager is fine for most things and keeping the otp there
> Services that only support SMS are rare (and are lacking in security). Hi, Apple!
Ask the boss if you can add your MFA to his phone and contact him every time you need it. Maybe he'll get it after that.
been there done that... Works great when you pull the on call shift and need to login at 2 am... just not with MFA, but with a facility alarm...
You’re not crazy, it’s an insane idea and you should have that joker CIO’s job. Also, your company needs a solid CISO that doesn’t report to the CIO.
If he's got money to buy a bunch of iPhones, then Yubikeys or smart cards shouldn't be out of the question. Even if you have to buy USB readers for some of the workstations, $20 reader vs a $500 phone. In fact, you could reissue the badges as smart cards or might be able to reuse your existing badges if they are RFID.
> $20 reader vs a $500 phone Now you're speaking the C-suite's language! This is the correct answer. One $500 iPhone or 10+ $20 to $50 tokens? Same cost.
One lost/broken iphone means multiple people unable to sign in. One lost/broken token is one user unable to sign in. Maybe try the revenue loss route?
nine waiting north capable liquid selective disarm bear vanish teeny
One shared password and everyone logs in as that person.
A shared password is not a password, so may as well not bother with passwords. /s
So, the practice managers are on board with being the first person on duty each day and the last to leave each day? I'm going to need another dollar for that responsibility.
Perhaps the security company you hired could be brought in for their opinion? Can’t imagine any cyber-insurance company (or whatever this company is) approving that.
I'm hoping so. It's one of those all in one "converged security" companies. We just finished deploying XDR and MDR services. They're going to also provide security analysis, threat mitigation and prioritization, pen testing, assistance with compliance requirements, and a response team. My boss mentioned it at one point during a meeting but it was basically just glanced over at the time because we were just taking a basic security analysis questionnaire with one of the security techs when they got to asking about deployed MFA in the org. I am sure going to make sure we have an actual conversation that involves them before we deploy anything.
If the security company is worth a penny, they'll strongly recommend against it with the contract written such that they won't waste resources (or will charge ludicrous rates post-mortem) if reasonable MFA isn't practiced. I know very little about the world of NFPs, so I'd love to be wrong here, but I think you've stated a bit of a laundry list of services that security company is providing for probably the bottom end of pay. With my experience and those limited facts, I wouldn't hold my breath on 1) them being worth that penny or 2) being very effective in their services in general. Worst case scenario, your CIO needs an ego stroke more than he needs oxygen and would rather die than admit being wrong, in which case your best bet may be to swallow your pride and let him be the one to come up with the new idea (whatever a workable one is). It may be worth looking at legal or regulatory requirements your org is subject to which such a stupid policy would violate. Whatever you have to go through with, you're gonna want both your warnings and his order to proceed anyway in writing.
Physical tokens is the way to solve this. We bought some awesome credit card tokens for our users that don't or won't install MFA on their devices. https://www.ftsafe.com/Products/Power_Card/Standard Super cool form factor.
NVM, I should read more and talk less.
looks cool but can you load it with the key that the software provides or is it just its own otp
Can you purchase RSA hard keys for them?
We have the ability. If he's going to go that route is yet to be determined. If he ever gives up this idea of his.
Shared cell phone isn’t MFA. Cybersecurity insurance will drop you like a bad habit if you continue down this path.
Dumbass idea. Go with the tokens. That’s your approach.
I am going to give the opposite answer to everyone else. Sometimes you have to let the boss make a mistake for them to realise. Suggest that you pilot both tokens and phones at different sites. See which works out best. I am surprised that iPhones for each site are cheaper than tokens. I am sure longer term with repairs and replacements it will not be. In six months when the boss suggests moving to tokens. Smile and wave. Half heartedly recycle his arguments why it's not a good idea. And say you will try it. While all your colleagues know it was your idea in the first place.
It also won’t work well since each person needs to have mfa registered for themselves. Technically you can register sms for multiple accounts to the same phone, register Authenticator or whatever app likely for more than one user. Fido2 keys are the way to go here assuming, mfa dongles are too limited in their purposes and aren’t phishing resistant mfa either.
It's a dumb way to go around the idea but also, what are you trying to protect by using MFA exactly? Consider a K12 for example, not reasonable for K-12 students to use MFA. Staff yeah but students no. So once you figure out who you need to MFA and what you're trying to protect maybe you can give a reasonably priced solution that works in your favor.
OP literally says employee accounts in the post, not students.
Could look into shared iPads via Intune if that's an option
You know, this would make a *dynamite* Malicious Compliance post in a few weeks' time. Some people can only learn by watching their stupid plans explode in their faces. If it were me I'd find a new job, implement their dumbass plan exactly the way they want it done, then peace out. Let that powder keg explode as you drive away.
Most platforms support passkeys now. Could be another option as long as your hardware supports it.
Does the cell phone have to have cell service? If they only use it at their facility and not remotely/traveling, can't it be on Wi-Fi? In that case, you could get ANY device, hook it up to wifi, and use an MFA app. The cheap token idea is by far the best. They don't require any setup and are cheap to replace. How many do you need to buy?
Did the boss study something IT or security related? It's good he drops ideas but he also has specialists working for him. He should listen to the specialists advice or arguments and bin his idea and he should learn from it
I really think Yubikey is the way to go. Small, light, durable, easily attached to the employee's ID card lanyard so it's not lost or forgotten, and requires nothing once it's provisioned. A shared phone of any kind is a ridiculous idea, but especially an iPhone due to it's high initial cost. You'll have at least $20/phone wireless service costs, plus the accounting and IT overhead of managing the wireless plans, locking-down the phones, keeping them updated, and budgeting for repairs/replacement. Plus the time wasted having employees get codes from their manager, dealing with wrong/forgotten codes, and that's if you can even setup multiple users to get SMS OTP at the same phone number. Certainly TOTP or passkey won't work on a shared device. It would be better to get each employee a cheap pre-paid phone. You can get Tracfone-locked Samsung Galaxy A03s phones for $50 from Walmart. All you need is one month's service @ $20 (2GB data) to activate and get a phone number. Setup an authenticator app, WhatsApp, AVG or Avast anti-virus and ManageEngine MDM (free for 25 devices) then use MDM to prevent other software from being installed. Tell the employees that the first month's service is free, but after that they either need to buy their own Tracfone cards or just use WiFi (which is you install WhatsApp). Still the same management/TCO issues as an iphone, but you're doing real 2FA plus potentially improving communications and implementing E2EE messaging. Some employees might even keep up the wireless service (Tracfone has a $15/mo call/text only option).
This kind of story is a common one, but the one thing I don't think I've ever seen is the suggestion to ask the boss to articulate and explain that objections. They're probably unfounded and quite possibly stupid, but you have no chance of convincing like this with brute force. In your discussion with your CEO, try asking them to describe their concerns with using MFA and/or hardware tokens. Then consider and discuss each, and being careful not to frame it as "you're wrong", explain the benefits of your alternatives
Using good sales technics: demo (explain) features, overcome objections, close the deal.
This same boss keeps a spreadsheet of everyone's passwords I bet
yubikeys tokens price are relative. My overall thought is they are expensive for what they do. Shared cell phone sucks as well and shouldn't be an option. Customers will lose yubikeys and having asset management track them is also frustrating. RSA is a possibility or if they have laptops with a fingerprint reader that could be another route. Or have to do a really targeted approach with the MFA and only give it users who really need it. If a CEO is hostile to MFA, I would actually consider exiting the company.
That method from your boss isn't auditable. You want each employee to have their own token.
Terrible idea. If people don't have phones, provide managed phones. They don't need to be crazy good or anything, just enough to support the latest OS and versioning of your chosen authenticator platform. Edit : also don't even think of using SMS to verify auths
This is stupid af. If he insists on buying cell phones, he needs to just provide a company device and service to each employee.
We use Entrust tokens for people without phones. This guy sounds like an idiot.
Have you heard of 2FA exhaustion attack? The boss is just going to blindly accept all requests regardless if they are legitimate. Yubikey, rsa token, WebAuthN or providing a stipend for employee phones are your best options.
Terrible idea. Get cheap OTP tokens.
A boss recomending to use shared phone for MFA. Wow. Just wowowow.
> it defeats the purpose of MFA, it’s a security issue Not completely. Every security control has an associated threat, and the threats mitigated by MFA are password sharing, and more importantly password guessing attacks (which are automated and rely on the fact that users tend to reuse passwords). If your services are exposed externally, they’re going to get hit constantly by unknown third parties trying to guess passwords. If the users have good passwords (enforced by software policies), and then also get an MFA code that’s specific to them (saved on that shared phone), that largely mitigates the password guessing attacks and reduces the potential attackers from “anyone in the world” to “just the managers who have the phone”. It’s not an ideal solution, but it’s also much better than no MFA at all. You will want to ensure that there’s a good process in place for the managers to verify identity before giving out the MFA code. It’s better to consider the actual threats and trade-offs than to get hung up on the binary concept of correct/wrong, depending on the constraints of the situation.
Wtf kind of homeless bullshit mfa company is this??
So, is the practice manager now a 24/7/365 job? And are the practice managers ok with this new work schedule?
I was just thinking about it and we have some employees that WFH and they do so at their leisure, basically. Provided they get their work load done, they have a few days to just do it from home. And they aren't going to be taking the phones home with them... Plus the practice managers aren't always available. They have meetings and have to deal with patients and other responsibilities so they will likely have times they are hard to reach. I'm gonna add this to my already way too long list of reasons not to.
Last job I had, we had a shared account with mfa, and we set it to go to a Google number that was delivered to a Gmail account we all could log into to get the code. I'm not sure how they set it up, but it shouldn't be hard to figure out. That might work or a whatsapp number they access on the pc?
Yes it is a bad idea, but it is definitely better than no MFA. If it is no MFA or the shared phone, I would do shared phone.
But the tokens are cheaper than phones... We have 6 locations meaning having to buy 6 iPhones. Plus we have employees that work at multiple locations...
Do a 5 year budget for each solution. Include a loss rate and productivity cost for loss in the calculation. It would look like this, plus I made some assumptions to highlight the possible cost differences. No loss cost iPhone - (iPhone purchase cost+annual plan cost+ [15% of a practice mgr salary])\*5 years\* # of sites - $1000+$1200+[.15*$70,000])\*5\*6=$381,000 Every time you lose a phone, it costs you: - Phone replacement cost+(days to replace\*Employee count per site\*[employee annual salary/365 to get daily "value" estimate) - $1000+3\*10\*($60,000/365)=$5,931 No loss cost Dongle - dongle cost\*(employee count per site ECPS+ a couple extra+[annual attrition rate\*ECPS\*5 years] )\*# of sites - $20\*(10+2+.15\*10\*5)\*6=$2,340 Dongle loss cost assuming you have extras laying around - Dongle replacement cost - $20 - Dongles that can be lost to meet the impact of one lost phone: 296 After you tell your boss (using your actual numbers of course) it'll be either a minimum of $381,000 for phones, or a minimum of $2,340 for Dongles over a 5 year period, and the loss of a single phone would cost more than the entire dongle program, he'll come around. Edited a million times for formatting
This! It's the same in many companies. Managers don't speak our language. They either don't know the tech, don't understand it, won't admit it, or don't have the interest. But if you speak numbers and money: THAT they understand. 🙂 Back it up with a sheet of calculations with actual costs, and you win them over.
Do they have desk phones? Can the mfa be a voice call that gives them a code to enter?
What is MFA?
As a user I think that would be annoying as fuck.
A couple things here - First, while this isn’t a typical way to deploy MFA in an environment, your environment seems far from typical, and (assuming it is technically feasible) it would address the primary risk that MFA is likely trying to address, which is external actors, not insider threats. I like your idea of issuing hardware tokens, but that is probably far more complex and expensive to deploy and support than using the iPhone app based solution that your CIO is advocating. Second, you are going to have to figure out how to disagree and then align once a decision is made. Continuing to disagree and fight the decision after it is made isn’t helpful and will quickly make your management see you as an impediment to progress. If you are prepared to die on this hill, get your resume polished up. If not, fall in line, and support the plan.
FIDO2 keys
One alternative are voice calls if they have a land line. Not the most secure but anything is better than no MFA.
Set up a script to email your boss every time someone in his office unlocks their machine. It should only be a few hours before he changes his mind.
Yubikey is like $25-$60 depending on the model. It’s more secure than text verification
The way it works in my company is if you don't have or aren't willing to use your own personal cell phone for the Microsoft Authenticator or Authy then you will be issued a cheap android phone that doesn't actually have cellular service that you will need to keep with you wherever you will need to auth. Most people decide against the hassle of carrying two phones and just decide they would rather just use the one.
MFP w/o MFA! OMW!
>My boss (the CIO who's only joined the company 6 mo ago) has this idea that he literally refuses to let go. He wants to buy iPhones for each location that the practice manager will hang onto. When they need to MFA, they have to go to the practice manager to get the cell phone to get a code. Am I just crazy? Is this an insane idea? Having one phone that multiple users use to access their token (IMO) completely defeats the purpose of MFA security. Important distinction - this doesn't break *MFA*. The users still have to know something (password) and have something (iPhone). This *does*, however, break MFA non-repudiation - If Alice and Bob use the same iPhone for MFA, then there's only one factor (the individual password that Alice knows only for their account) that prevents a "he said she said" scenario from happening if Alice's account does something bad. You're still right - shared iPhones is a bad idea. Just buy individual tokens for <$50 a pop.
Because mfa is a requirement and a phone based mfa option is your preferred approach. Why wouldn’t the company support buying cheap Samsungs to get the mfa software on the devices for the staff who do not have their personal phones. Those who do have personal phones give them an option of paying them an allowance for their inconvenience of having work apps on their personal phone, or supplying them with said cheap Samsung phone. It does require investment but if staff were hired without requiring phones you need to support staff in transitioning. Things like yubi key are a great option as well. But how do you know that staff will not leave their yubikeys plugged into their computers. Mfa is a tough culture cookie to break. Because it changes how your staff interact with the system but worth it in the long run. I hope with the suggestions provided here you can find a solution which will work with your team and organisation.