I really want us to use some type of hardware key such as YubiKey but the price of entry is pretty high so it's a hard sell.
I think what we've landed on is having employees use a TOTP app of their choosing, but we're going to start pushing for JumpCloud protect as it rolls out to RADIUS and other applications. That being said, I think that even when using JC Protect you need to have a traditional TOTP system in place.
Yeah, I'm all in on JumpCloud protect, but I know we will have some users refuse to use their own equipment to log in to their work devices. YubiKey has a TOTP manager, but you need to be booted into the OS in order to load it. YubiKey can also function as a smartcard, but Jamf does not support that as a way to log in to the OS.
I've heard a lot of SysAdmins say they have employees who refuse to use personal equipment for work stuff, and it's always intrigued me because we've never had that issue before. Laptops, sure but we've never not offered an employee a laptop (and for certain teams & roles we force them to use a company laptop due to client contracts). Phones, never had anyone even ask for a work issues phone.
I think that with Android and iOS both offering "segregated" profiles. One for personal and one for work might help with this conversation. But I can still see employees saying that they refuse.
A few ways around this.. Offer a cell phone stipend and say hey, we understand you will need to use your phone for some work stuff. To help with that, we have a stipend.
Offer company phones (nightmare)
Look at authentication outside of the phone. Things such as biometrics would be great or hardware. But then there is the question of "what happens if you lose the key"? Then there is a backup of TOTP lol which requires an app on their phone to generate a code.
Personally, I can see the concern with having company data on your phone. An app that generates codes and keys to access your work computers isn't the same however. I think it comes down to just not understanding the tech and having fears of "big brother" type stuff. Which I 100% agree with.
@BenGarrison thank you for the detailed response. We're not opposed to a nominal hardware cost for employees that require it, but I'm concerned about creating ongoing stipends or managing company phones for the reasons you mentioned. Perhaps an iPod Touch for $199 a piece is the solution for the few holdouts?
Overall though the issue would be fixed for us if JumpCloud at Login on macOS and Windows could use SmartCard or WebAuthN keys such as YubiKey. Then we could cover all of our bases, even with the downsides of a piece of hardware that may fail or become lost.
I'm dealing with this at a client site right now. 2 people absolutely WONT load anything onto their phones. Ok, fine, not the hill I'm going to die on. But what do I use instead? Also, what if an employee doesn't have a phone, or only has a 'dumb' phone? Or even more basic like it got stolen or broken and we just need a fix "for today"?
I'm also not a fan of the subsidizing phone plans. It makes less and less sense as tech advances, especially when the emps are using the wifi all day on their personal devices and I have to size up the LAN/WAN to accommodate it already....that's not free either! Plus the security and traffic management overhead, the cell repeaters I've put in at some locations, etc..... why are we paying for their cell phone bill, too? Does anyone even still get billed per message or minute??
We just started using YubiKey 5C NFCs for key staff. 🔑4️⃣🔑 They're great and cover securing our key platforms. If the cost seems prohibitive, consider only getting a few for users with the most privileged access or highest risk. JC Protect or other Authenticator apps for everyone else. Google, Raivo, LastPass, etc.
I have been selling Yubi Keys to many of my client companies. They are phishproof, and easy to use. As for cost, 2 keys (a 5 Nano, and a blue Yubi Security key goes for around $75 per user) is not exurbanite when considering a breech due to inferior 2 factor methods. I had that sort of phishing attack on a client and one user fell for it. Their M365 account was taken over and started sending out malware to everyone in their contact list. It was lucky that the hacker blew the link to the malware so no one got infected. The company moved to security keys the next day.
Also, In August of this year 130 organizations were hit with a massive phishing attack. The size of the attack is amazing, but what is really amazing is that the ONE company that was NOT compromised was Cloudflare. Why did Cloudflare not get compromised? Because they use security keys!