2FA - when required by your vendors, do you stipend your staff?

Dashrender

@msff-amman-itofficer said in 2FA - when required by your vendors, do you stipend your staff?:

@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:

@msff-amman-itofficer said in 2FA - when required by your vendors, do you stipend your staff?:

@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:

The best option would be a PC based token.

I just found https://winauth.com/

Now the question is, does it break something you have, something you own, something you are?

I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?

Been using Winauth for some time now, and it is very good option. But if it can be also installed on mobile that is extra security, cause if the machine gets formatted or the app gets uninstalled then you no longer can login. or you also need record the secret key that generated the time based codes, perhaps in Keepass and backup that.

Hint: there is plugin that allows keepass to access DB files stored in linux servers via SSH.

I heard a conversation about this, the idea of keeping your secret 2FA keys in Keypass/Lastpass, etc. This is bad, because it puts your two separate authenticating pieces completely together.
i.e. if your password vault is ever breached, then they have also breached your tokens - they just use those keys to load up into one of the authenticator apps and away they go.

So while I do like the idea of keeping a record of the secret keys, you can't store them anywhere as conveniently as in password manager. Realistically, they should be printed and kept offline only.

For me the concept of losing an account is scary, meaning I dont want to lose my gmail account cause I lost piece of paper, thus I treat it as password.

In that case, why have 2FA then?

Frankly, sure you're a little better off, but if your vault to compromised, literally everything is.

Emad R

@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:

@msff-amman-itofficer said in 2FA - when required by your vendors, do you stipend your staff?:

@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:

@msff-amman-itofficer said in 2FA - when required by your vendors, do you stipend your staff?:

@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:

The best option would be a PC based token.

I just found https://winauth.com/

Now the question is, does it break something you have, something you own, something you are?

I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?

Been using Winauth for some time now, and it is very good option. But if it can be also installed on mobile that is extra security, cause if the machine gets formatted or the app gets uninstalled then you no longer can login. or you also need record the secret key that generated the time based codes, perhaps in Keepass and backup that.

Hint: there is plugin that allows keepass to access DB files stored in linux servers via SSH.

I heard a conversation about this, the idea of keeping your secret 2FA keys in Keypass/Lastpass, etc. This is bad, because it puts your two separate authenticating pieces completely together.
i.e. if your password vault is ever breached, then they have also breached your tokens - they just use those keys to load up into one of the authenticator apps and away they go.

So while I do like the idea of keeping a record of the secret keys, you can't store them anywhere as conveniently as in password manager. Realistically, they should be printed and kept offline only.

For me the concept of losing an account is scary, meaning I dont want to lose my gmail account cause I lost piece of paper, thus I treat it as password.

In that case, why have 2FA then?

Frankly, sure you're a little better off, but if your vault to compromised, literally everything is.

It depends I guess, my worries if I am gona do this to users, maybe cause I am custom to deal with very I.T bad people. I worry that the account will be inaccessible all the time cause they lost the 2FA so thus I have to record it somewhere. My users forget their login password all the time, I have to reset it they dont know how to reset it. so it depends. for me I like to keep records somewhere always.

Dashrender

@msff-amman-itofficer said in 2FA - when required by your vendors, do you stipend your staff?:

@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:

@msff-amman-itofficer said in 2FA - when required by your vendors, do you stipend your staff?:

@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:

@msff-amman-itofficer said in 2FA - when required by your vendors, do you stipend your staff?:

@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:

The best option would be a PC based token.

I just found https://winauth.com/

Now the question is, does it break something you have, something you own, something you are?

I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?

Been using Winauth for some time now, and it is very good option. But if it can be also installed on mobile that is extra security, cause if the machine gets formatted or the app gets uninstalled then you no longer can login. or you also need record the secret key that generated the time based codes, perhaps in Keepass and backup that.

Hint: there is plugin that allows keepass to access DB files stored in linux servers via SSH.

I heard a conversation about this, the idea of keeping your secret 2FA keys in Keypass/Lastpass, etc. This is bad, because it puts your two separate authenticating pieces completely together.
i.e. if your password vault is ever breached, then they have also breached your tokens - they just use those keys to load up into one of the authenticator apps and away they go.

So while I do like the idea of keeping a record of the secret keys, you can't store them anywhere as conveniently as in password manager. Realistically, they should be printed and kept offline only.

For me the concept of losing an account is scary, meaning I dont want to lose my gmail account cause I lost piece of paper, thus I treat it as password.

In that case, why have 2FA then?

Frankly, sure you're a little better off, but if your vault to compromised, literally everything is.

It depends I guess, my worries if I am gona do this to users, maybe cause I am custom to deal with very I.T bad people. I worry that the account will be inaccessible all the time cause they lost the 2FA so thus I have to record it somewhere. My users forget their login password all the time, I have to reset it they dont know how to reset it. so it depends. for me I like to keep records somewhere always.

Then keeping a paper copy couldn't be hard for you. home safe/safety deposit box, heck filing cabinet at home.

As for your users, if you're managing the system, you'll have reset options in place to assist resetting 2FA when needed.

While people lose phones all the time, individually, it doesn't happen all that often. Combine that with the need/desire to secure access to systems/data, the risk is normally worth it.

If you have a keyfob, you have zero backup available - you are stuck contacting the vendor to get the old keyfob disabled, and a new one assigned.

scottalanmiller

@breffni-potter said in 2FA - when required by your vendors, do you stipend your staff?:

"It depends" on way more factors than 2FA.

Do they currently have work emails on their personal device?
If yes, why does introducing 2FA suddenly require stipends? If no, then provide them with physical tokens for 2FA instead.

Maybe they "have to" vs. "they can"?

Dashrender

@scottalanmiller said in 2FA - when required by your vendors, do you stipend your staff?:

@breffni-potter said in 2FA - when required by your vendors, do you stipend your staff?:

"It depends" on way more factors than 2FA.

Do they currently have work emails on their personal device?
If yes, why does introducing 2FA suddenly require stipends? If no, then provide them with physical tokens for 2FA instead.

Maybe they "have to" vs. "they can"?

Actually, in most of their cases, we purposefully prevent it. ActiveSync and Webmail are both deactivated for most of those users.

dbeato

I wouldn't stipend the staff, the data usage is minimal.

Dashrender

@dbeato said in 2FA - when required by your vendors, do you stipend your staff?:

I wouldn't stipend the staff, the data usage is minimal.

The question is - is there any type of legal requirement here?

dbeato

@dashrender Good question...Let me check...

dbeato

@dashrender Are these trainees or just part time employees?

dbeato

https://cng.ncsu.edu/cng-docs/resources/Stipend_vs_SalaryQAsession12072010.pdf

Dashrender

@dbeato said in 2FA - when required by your vendors, do you stipend your staff?:

https://cng.ncsu.edu/cng-docs/resources/Stipend_vs_SalaryQAsession12072010.pdf

Not really sure where you're going with this one.

dbeato

@dashrender the Stipend part, are we talking about an Employee or Trainees/Interns
?

Dashrender

@dbeato said in 2FA - when required by your vendors, do you stipend your staff?:

@dashrender the Stipend part, are we talking about an Employee or Trainees/Interns
?

you post talks about stipends for non staff, and salary for staff.

I'm talking about stipends for staff.

travisdh1

If employees are required to use personal devices, I'd think there should be some sort of stipend or payment for them. Legalities are probably different for each location tho, so might want to touch base with the lawyer's office.

dbeato

@dashrender I Guess I am confused by the terminology of a stipend. I usually would use stipend with interns while with employees it will be a payment, reimbursement or extra pay.

scottalanmiller

@dbeato said in 2FA - when required by your vendors, do you stipend your staff?:

@dashrender I Guess I am confused by the terminology of a stipend. I usually would use stipend with interns while with employees it will be a payment, reimbursement or extra pay.

Regular employees get stipends as well.

Dashrender

@dbeato said in 2FA - when required by your vendors, do you stipend your staff?:

@dashrender I Guess I am confused by the terminology of a stipend. I usually would use stipend with interns while with employees it will be a payment, reimbursement or extra pay.

Google Definition
https://i.imgur.com/EJY0EWZ.png

OK I see where the confusion can come from.

To me a stipend can be paid to anyone, payrolled employee or not. From my experience, a stipend is not considered pay from a taxable point of view, but my experience is probably limited. Again, to me a stipend is paid to compensate someone for some expense they have on the companies behalf, instead of the company paying for it itself.
Of course the above definition does not imply that at all.

dbeato

@dashrender Yeah, but for what you want then yeah they should get some sort of pay.

PenguinWrangler

Why not buy them some cheap Android Tablets. I mean you can pickup some really cheap ones, less than 50 bucks. As long as they are on the wifi then they use those. You have total control over the 2FA devices that way.

Dashrender

@penguinwrangler said in 2FA - when required by your vendors, do you stipend your staff?:

Why not buy them some cheap Android Tablets. I mean you can pickup some really cheap ones, less than 50 bucks. As long as they are on the wifi then they use those. You have total control over the 2FA devices that way.

Now they are carrying around two devices with them, phone and this tablet.