I think the infosec pros, particularly those who manage security for large institutions, will get a good eye roll out of this one.

I work for a large school district, which uses GSuite Education and also a separate SSO portal for all the other apps we use.

First teacher in service day it was mentioned that the district would be finally implementing 2FA for all accounts. Great.

Today, we all receive an email from our head of tech. By the end of the month, we must set up 2FA.

1/x

#cososec

Here's the thing though: They are telling us we must use our personal phones for this! Either using the Google unlock option if you have an Android phone, or an authenticator app. Now I have an Android, and use Google unlock for my personal accounts, but I am NOT putting my school district account on my personal phone.

Oh, and we need a second authenticator app (Duo) to get into our SSO portal.

Oh, and most of us get little to no cell service in our rooms, so this is doomed to fail.
2/x

Unless of course we sign into our district WiFi. On our personal phones. Yeah, not happening.

It's pretty clear to me that they are trying to bring their security in line with the 21st century, but doing so at zero cost to them. What they should be doing is buying hardware FIDO keys for every employee, instead trying to force us to all use our personal devices for this.

Needless to say, this will be a topic of discussion at next week's union meeting.

3/3