Microsoft Two Step Verification Code

[positiveenergy]

Hi guys

Just want to check if I am being given the correct information. The email IT support company I use say the only way my employees can access their Outlook emails on the company desktops is by having a code sent to their personal mobile phones first to complete the 2 step authentication so they will have to provide their personal mobile number. Am I being given the correct information? Thanks for any advice.

 

[Daybooks]

Hi guys

Just want to check if I am being given the correct information. The email IT support company I use say the only way my employees can access their Outlook emails on the company desktops is by having a code sent to their personal mobile phones first to complete the 2 step authentication so they will have to provide their personal mobile number. Am I being given the correct information? Thanks for any advice.

You are possibly being given the correct information if that is how the access has been set up. However it is your Company and how you want to set it up must be your decision. The approach is not mandatory. If you want two factor authentication there are numerous methods which would not require personal mobile phone numbers. If you did go down this route then it would be your responsibility to ensure your IT support company had adequate GDPR systems in place; something you may not be able to satisfactorily ascertain, especially if you do not know how it is being stored and who would have access to it. You may of course get refusal from staff members. If your IT says it’s mandatory then leave them; at which point the requirement suddenly will not be mandatory. It’s your decision.

 

[positiveenergy]

You are possibly being given the correct information if that is how the access has been set up. However it is your Company and how you want to set it up must be your decision. The approach is not mandatory. If you want two factor authentication there are numerous methods which would not require personal mobile phone numbers. If you did go down this route then it would be your responsibility to ensure your IT support company had adequate GDPR systems in place; something you may not be able to satisfactorily ascertain, especially if you do not know how it is being stored and who would have access to it. You may of course get refusal from staff members. If your IT says it’s mandatory then leave them; at which point the requirement suddenly will not be mandatory. It’s your decision.

Thank you very much for taking the time to reply. I appreciate it.

 

[Alcom IT]

If you’re using Office 365 Microsoft have started automatically rolling out enforces two factor authentication.

Too many staff just aren’t trained in password strength properly and too many accounts are getting hacked just because the passwords are easily guessed.

However, you can choose how the two factor is set up. For example we set it up so text messages are sent instead of requiring an Authenticator app. This is better for staff that don’t have a company mobile phone. They usually don’t mind a text but object to installing apps.

Also we sometimes set it up so your physical office doesn’t require two factor. If you have a fixed IP address you can designate your office as a trusted location.

Two factor is a very very good idea but if it’s not set up properly it can be a royal pain!

Not all IT companies are created equally so it would be worth you reviewing your current IT company to see if they are working in your best interest.

 

[Newchodge]

If you’re using Office 365 Microsoft have started automatically rolling out enforces two factor authentication.

Too many staff just aren’t trained in password strength properly and too many accounts are getting hacked just because the passwords are easily guessed.

However, you can choose how the two factor is set up. For example we set it up so text messages are sent instead of requiring an Authenticator app. This is better for staff that don’t have a company mobile phone. They usually don’t mind a text but object to installing apps.

Also we sometimes set it up so your physical office doesn’t require two factor. If you have a fixed IP address you can designate your office as a trusted location.

Two factor is a very very good idea but if it’s not set up properly it can be a royal pain!

Not all IT companies are created equally so it would be worth you reviewing your current IT company to see if they are working in your best interest.

Sending staff a text will still mean they have to give out their provate phone numbers.

 

[Alcom IT]

Only during the initial setup. Once it’s done they shouldn’t be prompted ever again unless they are outside the office or setting up a new computer for the first time.

Two factor is not used at every logon. Only when the login seems unusual.

So if the network is set up correctly there should not be any need to get their phones out other than for the very first set up.

 

[Alcom IT]

Also the staffs phone number is stored securely in Office 365 and not distributed anywhere else. It can’t be seen in the global address book or anything like that.

 

[Ozzy]

To give the OP options, as an employer I do require staff to use their personal mobile phones for 2FA but we require them to install a 2FA app of their choice to use - and recommend them it is good practice they do so for all their personal Apps and we as a business will allow them to use the app they choose for their own stuff... meaning they don't need to install anything special or different for their work.

I choose to see it as educating my staff to secure their personal accounts and align their work 2FA with that.

 

[Newchodge]

To give the OP options, as an employer I do require staff to use their personal mobile phones for 2FA but we require them to install a 2FA app of their choice to use - and recommend them it is good practice they do so for all their personal Apps and we as a business will allow them to use the app they choose for their own stuff... meaning they don't need to install anything special or different for their work.

I choose to see it as educating my staff to secure their personal accounts and align their work 2FA with that.

I am afraid I believe it is very poor employment practice to require staff to use their personal property for your business.

 

[Ozzy]

I am afraid I believe it is very poor employment practice to require staff to use their personal property for your business.

I know that some may see it that way, but equally I cannot viably supply all my staff with a mobile phone for them to have 2FA so it's what I do and I can live with that. 2FA is something everyone should be using in their personal lives anyway so should have these apps on their phones anyway.

 

[Nico Albrecht]

poor practice

Not having 2FA in place in 2023 is a big no-no. It's downright crazy to run systems like 365 or Google Workspace without it, especially when customer data is involved. If your IT team is only now starting to push for it because Microsoft made it mandatory, they deserve to be fired on the spot. You need a company that actually cares about security. It doesn't matter where the 2FA code goes; the real problem is that you neglected basic security measures for your business, and your IT team isn't up to the task of protecting it.

For smaller businesses, using the manager's phone is usually sufficient, while larger businesses can explore smart cards and other solutions. Even using a business landline phone to receive a code is better than nothing. However, operating without 2FA is reckless and puts your business at risk. There should be consequences for that, including fines, for businesses that continue to operate without 2FA in 2023.

rant over!

 

[Newchodge]

Not having 2FA in place in 2023 is a big no-no. It's downright crazy to run systems like 365 or Google Workspace without it, especially when customer data is involved. If your IT team is only now starting to push for it because Microsoft made it mandatory, they deserve to be fired on the spot. You need a company that actually cares about security. It doesn't matter where the 2FA code goes; the real problem is that you neglected basic security measures for your business, and your IT team isn't up to the task of protecting it.

For smaller businesses, using the manager's phone is usually sufficient, while larger businesses can explore smart cards and other solutions. Even using a business landline phone to receive a code is better than nothing. However, operating without 2FA is reckless and puts your business at risk. There should be consequences for that, including fines, for businesses that continue to operate without 2FA in 2023.

rant over!

I wasn't suggesting operating without it.

 

[positiveenergy]

I am afraid I believe it is very poor employment practice to require staff to use their personal property for your business.

I agree.

 

[positiveenergy]

If you’re using Office 365 Microsoft have started automatically rolling out enforces two factor authentication.

Too many staff just aren’t trained in password strength properly and too many accounts are getting hacked just because the passwords are easily guessed.

However, you can choose how the two factor is set up. For example we set it up so text messages are sent instead of requiring an Authenticator app. This is better for staff that don’t have a company mobile phone. They usually don’t mind a text but object to installing apps.

Also we sometimes set it up so your physical office doesn’t require two factor. If you have a fixed IP address you can designate your office as a trusted location.

Two factor is a very very good idea but if it’s not set up properly it can be a royal pain!

Not all IT companies are created equally so it would be worth you reviewing your current IT company to see if they are working in your best interest.

Very helpful. Thanks!

 

[fisicx]

I know that some may see it that way, but equally I cannot viably supply all my staff with a mobile phone for them to have 2FA so it's what I do and I can live with that. 2FA is something everyone should be using in their personal lives anyway so should have these apps on their phones anyway.

I’ve been looking at Authenticator apps and I apparently need a Microsoft or Google account or have to pay a monthly fee.

I have neither account types and don’t really want to have to pay.

I use O365 about once a month so it all seems a bit of a faff.

 

[Ozzy]

apparently need a Microsoft or Google account or have to pay a monthly fee

I use Authy which is free and comes with a browser plugin, desktop app and mobile app.

 

[Kerwin]

I know that some may see it that way, but equally I cannot viably supply all my staff with a mobile phone for them to have 2FA so it's what I do and I can live with that. 2FA is something everyone should be using in their personal lives anyway so should have these apps on their phones anyway.

Get them all a Yubikey. That is the best 2FA you can get regarding price versus performance.

 

[david0000]

I've clients using a dedicated text-number on which to receive the 2FA codes. Depending on the implementation the 2FA can then be auto forwarded to the user by email \ SMS or an API call. This way the company keeps control of the number the codes are being sent to.

 

[PeterTaylor]

Hi guys

Just want to check if I am being given the correct information. The email IT support company I use say the only way my employees can access their Outlook emails on the company desktops is by having a code sent to their personal mobile phones first to complete the 2 step authentication so they will have to provide their personal mobile number. Am I being given the correct information? Thanks for any advice.

As above, you don't need to provide personal numbers. I use my own number for all accounts to stop this issue.