Our IT department (one part-time guy) finally rolled out the two-factor authentication they've been warning us about for months. At first, they'd emailed everybody that we were going to have to install an app on our personal cell phones (since the company doesn't provide us with phones) to get the code for authentication. I adamantly refused to install an app for work on my personal cell phone. I told the IT guy as much. He'd offered an alternative in the email - that the company would provide a device to give the code instead of using an app. I said I'd rather have that.
I guess they got enough responses from people not wanting to install an app on their personal cell phones that they decided to get a physical token for everyone, at least at our branch. Now when we log in to Windows, an additional window pops up asking us to enter the code. We push the button on the device, a code appears on the LCD screen, and we type it in. There's also a checkbox to not bug us for a code for 10 hours. Which, to me, defeats the purpose of 2FA.
Now, granted, we're pretty lax about security because we're a small branch and there's almost no way a bad actor could access one of our computers without an employee noticing. But say I lock my pc when I went to lunch. Someone walks into my office and sits down at my PC. Somehow, the other employees don't notice. The person somehow gets my Windows password. The 2FA screen pops up. Do they go "aw, shucks" and walk away (like a recent training absurdly seemed to suggest)? Or do they look around for a device with the same logo as the 2FA screen? Oh, there it is in my desk drawer! Push the button, and voila! <the biggest of facepalms>
Honestly, I don't see how this is more secure than our already super-complicated passwords. So complicated most employees write it down on a post-it note or in a notebook stored conveniently close to their PC. It just annoys everyone.
I guess they got enough responses from people not wanting to install an app on their personal cell phones that they decided to get a physical token for everyone, at least at our branch. Now when we log in to Windows, an additional window pops up asking us to enter the code. We push the button on the device, a code appears on the LCD screen, and we type it in. There's also a checkbox to not bug us for a code for 10 hours. Which, to me, defeats the purpose of 2FA.
Now, granted, we're pretty lax about security because we're a small branch and there's almost no way a bad actor could access one of our computers without an employee noticing. But say I lock my pc when I went to lunch. Someone walks into my office and sits down at my PC. Somehow, the other employees don't notice. The person somehow gets my Windows password. The 2FA screen pops up. Do they go "aw, shucks" and walk away (like a recent training absurdly seemed to suggest)? Or do they look around for a device with the same logo as the 2FA screen? Oh, there it is in my desk drawer! Push the button, and voila! <the biggest of facepalms>
Honestly, I don't see how this is more secure than our already super-complicated passwords. So complicated most employees write it down on a post-it note or in a notebook stored conveniently close to their PC. It just annoys everyone.
Comment