I really want us to use some type of hardware key such as YubiKey but the price of entry is pretty high so it's a hard sell.
I think what we've landed on is having employees use a TOTP app of their choosing, but we're going to start pushing for JumpCloud protect as it rolls out to RADIUS and other applications. That being said, I think that even when using JC Protect you need to have a traditional TOTP system in place.
Yeah, I'm all in on JumpCloud protect, but I know we will have some users refuse to use their own equipment to log in to their work devices. YubiKey has a TOTP manager, but you need to be booted into the OS in order to load it. YubiKey can also function as a smartcard, but Jamf does not support that as a way to log in to the OS.
I've heard a lot of SysAdmins say they have employees who refuse to use personal equipment for work stuff, and it's always intrigued me because we've never had that issue before. Laptops, sure but we've never not offered an employee a laptop (and for certain teams & roles we force them to use a company laptop due to client contracts). Phones, never had anyone even ask for a work issues phone.
I think that with Android and iOS both offering "segregated" profiles. One for personal and one for work might help with this conversation. But I can still see employees saying that they refuse.
A few ways around this.. Offer a cell phone stipend and say hey, we understand you will need to use your phone for some work stuff. To help with that, we have a stipend.
Offer company phones (nightmare)
Look at authentication outside of the phone. Things such as biometrics would be great or hardware. But then there is the question of "what happens if you lose the key"? Then there is a backup of TOTP lol which requires an app on their phone to generate a code.
Personally, I can see the concern with having company data on your phone. An app that generates codes and keys to access your work computers isn't the same however. I think it comes down to just not understanding the tech and having fears of "big brother" type stuff. Which I 100% agree with.
@BenGarrison thank you for the detailed response. We're not opposed to a nominal hardware cost for employees that require it, but I'm concerned about creating ongoing stipends or managing company phones for the reasons you mentioned. Perhaps an iPod Touch for $199 a piece is the solution for the few holdouts?
Overall though the issue would be fixed for us if JumpCloud at Login on macOS and Windows could use SmartCard or WebAuthN keys such as YubiKey. Then we could cover all of our bases, even with the downsides of a piece of hardware that may fail or become lost.