Sorry for my absence the last few weeks, I’ve been rather busy with a move. I’ll try to get back to regular blogging, and I have a huge backlog of topics. Here is a short one, the importance of my mobile phone has reached the level where I am reluctant to take risks with it. And that is causing problems.
I recently decided not to enable my cell phone to connect to a client’s email system. Like most organizations, my client’s IT organization requires any device accessing its email system to submit to its Mobile Device Management (MDM) regime. For the most part that is not a problem as I already manage my phone that way, for example requiring a PIN to unlock it, and having the device set to erase itself after a number of failed PIN entries. The usual MDM regime has one “feature” I can no longer tolerate, the ability for the organization to erase the contents of your mobile device at its discretion. And, in particular, at termination of “employment”. If I were a full-time employee, expecting to retain that status for an indefinite (i.e., multi-year) period, that might not be such a big thing. But as a consultant my access to the client’s email system might not last beyond a few months, or could even last just a few weeks. Then my phone would be wiped.
Up until recently I didn’t really care about wiping my phone, because everything really lives in the cloud. Or so I used to think. I would regularly switch devices, and all my important data, emails, etc. would be available on the new device. Thank you OneDrive, OneNote, Cloud Drive, Exchange, iCloud, etc. But increasingly there is something critical that is local only, two-factor authentication (2FA). My phone has become my identity.
My phone has been used as a 2FA device for a long time, with many sites texting me a code I had to enter for login (or authorization of certain actions). And if that was the extent of it then wiping the device isn’t really a problem since the phone and SIM retain the phone’s physical identity. But recently more and more sites are depending on authentication apps running on the device and maintaining local state. For example, Microsoft’s Authenticator, Google Authenticator, MobilePass+, etc. Lose one of those apps and re-acquiring access to the sites that were being protected is a nightmare.
Not long ago I accidentally deleted an authentication app and discovered it would take at least 24 hours to re-acquire access to the account it protected. Basically the sites recovery process was to insert a 24 hour delay between the request to turn off 2FA and it take effect. This was done in the name of security. Then you had a few hours to access the site with a temporary code, before that code became invalid. Then you had to request a new code, which came 24 hours later, and so on. I was always busy when that code appeared, so it took days to regain access. Yeah, this is an extreme example. But not the only one. Since the purpose of 2FA is to provide very strong access control, recovery from loss of a 2FA device is almost always intentionally very difficult.
I was about to make the final tap on my phone to add the client’s email system when the impact of having my phone wiped hit home. I would immediately lose access to most of my life. My personal email, my bank accounts, even Twitter. Losing access to my email would be the worst, because the recovery processes for most things go through email. It would take me days, of effort to put my digital life back together. The process would spin further out of control if I didn’t have other devices with me, or they too were wiped. For example, if my iPad were wiped at the same time for the same reason. I’d be living a dystopian nightmare. I cancelled connecting my phone to their email system.
This is all starting to have negative impact, something that will only grow as our phones become more a part of our identity. I’ve missed time-dependent mails from the client because I either need to log in with OWA (which needs 2FA of course), or use my iPad (which I did connect to their email system). I have become reluctant to upgrade my phone, because that creates the same situation. I’d have to pre-plan the upgrade, turning off 2FA where possible and scheduling time to go through the replacement process where it isn’t. I’ve even turned off the auto-wipe feature, because the impact of someone wiping out my identity is now greater than the likeliness they can break into the phone before I do my own remote wipe (or otherwise disable the phone’s access to my resources).
I know I’m going to hear from people that they use solutions like carrying two phones with them, one for work and one for personal use. That doesn’t work for me, and only addresses the catalyst for this post rather than the core issue. A better solution for the work/personal data problem is for efforts to compartmentalize work data on a personal device to become ubiquitous. Your employer would never have, nor need, the right to wipe your entire device but rather have a way to wipe just their data. But that doesn’t go far enough.
Are their mechanism to get around the loss of a 2FA device? Sure. My Twitter backup codes are sitting in a safe 2000 miles from where I’m writing this. Not too useful a mechanism. Well, why not store them online somewhere? Ok, in the case of just losing 2FA access to Twitter that would work. In the case of my phone being wiped I would lose access to the store I had them in. Put them in a store that doesn’t require 2FA? Umm, remind me why we are doing 2FA to begin with?
Authy, an authentication app that has multi-device support and secure cloud backup is probably the best current approach, to the extent that it can be used to replace the other authentication apps. But it can’t always (e.g., I don’t think it can replace MobilePass+, which is often used for Enterprise network access). It also isn’t clear that Authy, or a similar 3rd party HOTP/TOPT app, will play a part in future authentication mechanisms. As Microsoft, for example, moves away from the use of passwords its solution may require the Microsoft Authenticator app rather than allow for Google Authenticator, Authy, etc. as alternatives.
As we continue the rapid move to our phones being our identities, every identity provider needs to provide a more robust way to recover from the loss of phones. But for now, I’m treating my phone as sacrosanct. No you can’t have permission to erase its contents. And no, I’m no longer upgrading my phone frequently.
Use KeePass (https://keepass.info/) with the KeeOTP (https://keepass.info/plugins.html#keeotp) plugin. Then when you add an account with 2FA, enter the code manually in both your phone and the KeyPass database, instead of capturing the QR Code with your camera. That way you have two places storing the 2FA codes. This is beneficial in case you lose your phone, or you drop a brick on it.
Well, if you and enough people stop upgrading their phones as often, the phone and OS vendors should get the hint and come up with some hardware/OS/virtualization solution to the problem.
Who knew the phone in our pocket would eventually become such an important feature in our lives?
Exactly right, Hal. I have to carry two cell phones now because my employer’s MDM system would wipe my mobile phone upon termination – and I refused to allow that. So they incur all the costs of the phone and I have to lug the 2nd device around with me. Crazy. I don’t know why they cannot sandbox a mail app so termination just results in the disabling of the app.