MFA - who pays for authentication solution?
-
@Dashrender said in MFA - who pays for authentication solution?:
Here's a topic for conversation:
Who should pay for the MFA solution? I'm mainly talking about the device the end users in your company are using to get that MFA. Should the company pay a stipend to every user for cellphone use?
They are cheap... for users who dont' want to use their cell phones, buy them one of these and configure it in O365:
https://www.token2.com/shop/product/token2-c200-hardware-token
-
@IRJ said in MFA - who pays for authentication solution?:
Why not just supply hardware tokens? They are not that expensive.
for multiple sites? Just what everyone wants, a pocket full of tokens.
EHR
email
2nd EHR
3rd EHR
4th EHR
5th EHRit's PHI so I could easily see insurance companies at some point also requiring it, so that could be another 20.
-
@Dashrender said in MFA - who pays for authentication solution?:
But at the same time - we require people to have clothing for a job, and they aren't compensated for said clothing, so I don't see why they would need to be for a phone either - it's just part of the requirement to have this job.
This would have to be declared at offer time. Now, the business could certain re-offer the position to the person with this new requirement (or let the person(s) go) but I doubt that would actually happen.
Essentially renegotiating the position and job requirements.
-
Clothing is a societal norm and as such is a ridiculous comparison. I'm of the opinion that if an employer requires a certain tool for the employee to perform their job, then it's up to the employer to either provide the tool or make arrangements with the employee for compensation / reimbursement.
-
@notverypunny said in MFA - who pays for authentication solution?:
Clothing is a societal norm and as such is a ridiculous comparison. I'm of the opinion that if an employer requires a certain tool for the employee to perform their job, then it's up to the employer to either provide the tool or make arrangements with the employee for compensation / reimbursement.
There are many jobs where this simply isn't the case - case in point, many auto mechanics. Most auto mechanics I know who work in car dealerships/city bus depots, etc all have to furnish their own tools. Now, I have no idea if they are paid extra with the expectation that those extra funds are going toward tool purchase/replacement/upgrades, of if the amount offered is the same for shops that supply tools?
-
@Dashrender said in MFA - who pays for authentication solution?:
for multiple sites? Just what everyone wants, a pocket full of tokens.
Who cares? If they're going to cry about the tokens give them the option to use their phone. But the tokens are what the company supplies...
-
@Dashrender said in MFA - who pays for authentication solution?:
@IRJ said in MFA - who pays for authentication solution?:
Why not just supply hardware tokens? They are not that expensive.
for multiple sites? Just what everyone wants, a pocket full of tokens.
EHR
email
2nd EHR
3rd EHR
4th EHR
5th EHRit's PHI so I could easily see insurance companies at some point also requiring it, so that could be another 20.
That's when you use a service like okta or jump cloud
-
@bnrstnr said in MFA - who pays for authentication solution?:
@Dashrender said in MFA - who pays for authentication solution?:
for multiple sites? Just what everyone wants, a pocket full of tokens.
Who cares? If they're going to cry about the tokens give them the option to use their phone. But the tokens are what the company supplies...
I agree 100%. Give them the option. Most will choose their phone. I guarantee it
-
Lol, yeah once we reach that point it would definitely be one way to get them to just accept using their own device with no added funds.
I’m not in a boat one way or the other...
It seems we have some that are clearly in one camp or the other though.
-
I'm of the opinion that the company should provide users with anything that is required to do their job. In this case, if a mobile device is required for them to do their job then the company should provide the device. If it's not required then it's the users choice.
-
@Dashrender said in MFA - who pays for authentication solution?:
@IRJ said in MFA - who pays for authentication solution?:
Why not just supply hardware tokens? They are not that expensive.
for multiple sites? Just what everyone wants, a pocket full of tokens.
EHR
email
2nd EHR
3rd EHR
4th EHR
5th EHRit's PHI so I could easily see insurance companies at some point also requiring it, so that could be another 20.
This is a joke right? You can use a token across multiple sites. Especially Yubikeys.
-
@stacksofplates said in MFA - who pays for authentication solution?:
@Dashrender said in MFA - who pays for authentication solution?:
@IRJ said in MFA - who pays for authentication solution?:
Why not just supply hardware tokens? They are not that expensive.
for multiple sites? Just what everyone wants, a pocket full of tokens.
EHR
email
2nd EHR
3rd EHR
4th EHR
5th EHRit's PHI so I could easily see insurance companies at some point also requiring it, so that could be another 20.
This is a joke right? You can use a token across multiple sites. Especially Yubikeys.
yeah I know you can with something like a Yubikey - but that assumes that the site supports Yubikeys -and our EHR only supports Symantec VIP tokens - super lame!
-
@Dashrender said in MFA - who pays for authentication solution?:
and our EHR only supports Symantec VIP tokens - super lame!
Then why did you add that in the list if the only solution to that EHR is a Symantec VIP token? Then you already have the only MFA answer to that. Start there and see if everything else supports it. If not, then yeah, a pocket full of keys they shall get... or opt to use their phone.
-
@Dashrender said in MFA - who pays for authentication solution?:
@stacksofplates said in MFA - who pays for authentication solution?:
@Dashrender said in MFA - who pays for authentication solution?:
@IRJ said in MFA - who pays for authentication solution?:
Why not just supply hardware tokens? They are not that expensive.
for multiple sites? Just what everyone wants, a pocket full of tokens.
EHR
email
2nd EHR
3rd EHR
4th EHR
5th EHRit's PHI so I could easily see insurance companies at some point also requiring it, so that could be another 20.
This is a joke right? You can use a token across multiple sites. Especially Yubikeys.
yeah I know you can with something like a Yubikey - but that assumes that the site supports Yubikeys -and our EHR only supports Symantec VIP tokens - super lame!
I'd argue it might work anyway. Yubikeys support up to 31 or so OATH-TOTP codes (like an RSA token or Google auth app type token). It also supports any number of u2f applications and two slots for TOTP/HOTP, hmac-SHA1, and GPG keys.
As long as the VIP tokens use some standard for the way it generates the TOTP token you can scan it/enter it with the Yubikey Authenticator app and have it manage that.
-
@stacksofplates said in MFA - who pays for authentication solution?:
@Dashrender said in MFA - who pays for authentication solution?:
@stacksofplates said in MFA - who pays for authentication solution?:
@Dashrender said in MFA - who pays for authentication solution?:
@IRJ said in MFA - who pays for authentication solution?:
Why not just supply hardware tokens? They are not that expensive.
for multiple sites? Just what everyone wants, a pocket full of tokens.
EHR
email
2nd EHR
3rd EHR
4th EHR
5th EHRit's PHI so I could easily see insurance companies at some point also requiring it, so that could be another 20.
This is a joke right? You can use a token across multiple sites. Especially Yubikeys.
yeah I know you can with something like a Yubikey - but that assumes that the site supports Yubikeys -and our EHR only supports Symantec VIP tokens - super lame!
I'd argue it might work anyway. Yubikeys support up to 31 or so OATH-TOTP codes (like an RSA token or Google auth app type token). It also supports any number of u2f applications and two slots for TOTP/HOTP, hmac-SHA1, and GPG keys.
As long as the VIP tokens use some standard for the way it generates the TOTP token you can scan it/enter it with the Yubikey Authenticator app and have it manage that.
Interesting.. thanks.
-
@Dashrender said in MFA - who pays for authentication solution?:
@stacksofplates said in MFA - who pays for authentication solution?:
@Dashrender said in MFA - who pays for authentication solution?:
@stacksofplates said in MFA - who pays for authentication solution?:
@Dashrender said in MFA - who pays for authentication solution?:
@IRJ said in MFA - who pays for authentication solution?:
Why not just supply hardware tokens? They are not that expensive.
for multiple sites? Just what everyone wants, a pocket full of tokens.
EHR
email
2nd EHR
3rd EHR
4th EHR
5th EHRit's PHI so I could easily see insurance companies at some point also requiring it, so that could be another 20.
This is a joke right? You can use a token across multiple sites. Especially Yubikeys.
yeah I know you can with something like a Yubikey - but that assumes that the site supports Yubikeys -and our EHR only supports Symantec VIP tokens - super lame!
I'd argue it might work anyway. Yubikeys support up to 31 or so OATH-TOTP codes (like an RSA token or Google auth app type token). It also supports any number of u2f applications and two slots for TOTP/HOTP, hmac-SHA1, and GPG keys.
As long as the VIP tokens use some standard for the way it generates the TOTP token you can scan it/enter it with the Yubikey Authenticator app and have it manage that.
Interesting.. thanks.
It is the same for using Authy instead of Google Authenticator. A lot of sites only say Google Authenticator, but they all use standards, thus Authy works just fine.
-
@JaredBusch said in MFA - who pays for authentication solution?:
@Dashrender said in MFA - who pays for authentication solution?:
@stacksofplates said in MFA - who pays for authentication solution?:
@Dashrender said in MFA - who pays for authentication solution?:
@stacksofplates said in MFA - who pays for authentication solution?:
@Dashrender said in MFA - who pays for authentication solution?:
@IRJ said in MFA - who pays for authentication solution?:
Why not just supply hardware tokens? They are not that expensive.
for multiple sites? Just what everyone wants, a pocket full of tokens.
EHR
email
2nd EHR
3rd EHR
4th EHR
5th EHRit's PHI so I could easily see insurance companies at some point also requiring it, so that could be another 20.
This is a joke right? You can use a token across multiple sites. Especially Yubikeys.
yeah I know you can with something like a Yubikey - but that assumes that the site supports Yubikeys -and our EHR only supports Symantec VIP tokens - super lame!
I'd argue it might work anyway. Yubikeys support up to 31 or so OATH-TOTP codes (like an RSA token or Google auth app type token). It also supports any number of u2f applications and two slots for TOTP/HOTP, hmac-SHA1, and GPG keys.
As long as the VIP tokens use some standard for the way it generates the TOTP token you can scan it/enter it with the Yubikey Authenticator app and have it manage that.
Interesting.. thanks.
It is the same for using Authy instead of Google Authenticator. A lot of sites only say Google Authenticator, but they all use standards, thus Authy works just fine.
Exactly. Anything that says it uses Google Authenticator, can also use MS Authenticator. Same standards as JB said.
-
@Obsolesce said in MFA - who pays for authentication solution?:
@JaredBusch said in MFA - who pays for authentication solution?:
@Dashrender said in MFA - who pays for authentication solution?:
@stacksofplates said in MFA - who pays for authentication solution?:
@Dashrender said in MFA - who pays for authentication solution?:
@stacksofplates said in MFA - who pays for authentication solution?:
@Dashrender said in MFA - who pays for authentication solution?:
@IRJ said in MFA - who pays for authentication solution?:
Why not just supply hardware tokens? They are not that expensive.
for multiple sites? Just what everyone wants, a pocket full of tokens.
EHR
email
2nd EHR
3rd EHR
4th EHR
5th EHRit's PHI so I could easily see insurance companies at some point also requiring it, so that could be another 20.
This is a joke right? You can use a token across multiple sites. Especially Yubikeys.
yeah I know you can with something like a Yubikey - but that assumes that the site supports Yubikeys -and our EHR only supports Symantec VIP tokens - super lame!
I'd argue it might work anyway. Yubikeys support up to 31 or so OATH-TOTP codes (like an RSA token or Google auth app type token). It also supports any number of u2f applications and two slots for TOTP/HOTP, hmac-SHA1, and GPG keys.
As long as the VIP tokens use some standard for the way it generates the TOTP token you can scan it/enter it with the Yubikey Authenticator app and have it manage that.
Interesting.. thanks.
It is the same for using Authy instead of Google Authenticator. A lot of sites only say Google Authenticator, but they all use standards, thus Authy works just fine.
Exactly. Anything that says it uses Google Authenticator, can also use MS Authenticator. Same standards as JB said.
That part I know, but Symantec VIP uses their own what they call credential IDs, it's not a generic number like GA or MS auth uses... but I'll have to dig into it to see if it's cross compatible.
