Go through the whole list and figure out which of these services really requires your phone, and which you have set up on your phone because that seemed the easiest path.
Tell your workplace you're about to switch from carrying a phone to a landline: what is their fallback option? (It's about 50/50 whether they have one, but they definitely should.)
> Tell your workplace you're about to switch from carrying a phone to a landline
In my country we still respect people who use dumbphones, because a religious minority eschews the smartphone. I'm very grateful for this, I tell my bank and other entities that I have to deal with that I have a dumbphone and all local entities have a path for accommodating this.
This is the best way to go about this (the first line, the second line is rather variable). Phones didn't suddenly become a single point of failure, it's mostly middle-management combined with checkbox-security that ends up with SMS, TOTP and push-based confirmation factors. It's not the best way, but the easiest way to set things up.
To make matters worse, TOTP is easy to copy for 'backup' purposes, so it's really not all that good (but still orders of magnitude more secure than SMS), but people are now actively encouraged to use multi-device TOTP like authy which practically invalidates it as a separate factor.
There are of course practical implications as well. Giving everyone a Yubikey is problematic due to cost, same with smartcards and readers at every workstation (the card isn't the problem, replacing everything with readers and changing the authentication system to accept smartcards is). RSA SecureID is expensive too, and essentially just TOTP. You could only use FIDO-enabled devices like the ones with secure enclaves, but that has the same problem as smartcards.
One thing that happens a lot around here is people carrying two phones, which doesn't solve anything but does shift the work/blame/cost on the company because everything will have to be done on 'their' device. This is a bit impractical because now you're constantly walking around with two phones, or have to manage which phone you happen to have on you.
On top of everything else: all other second factors can be lost too, that is by design because it is supposed to be 'something you have'.
That is not really the problem, that is the symptom. Making it redundant makes the factor property moot. And while it might be hard to replace, it's not irreplaceable. One issue is that if you have 60 TOTP accounts on an app on a phone and you desire to replace it you'll end up with a keyring full of FIDO keys. Those are just as 'non-redundant' and 'irreplaceable' as the phone was.
The problem that causes the symptom is pass-the-audit mentality in the implementation of MFA. You have many options to make this "better" like picking any push, FIDO, U2F and TOTP method at authentication time. Lose 3 of those and you still have one available for the normal flow. And then there are backup codes that most people don't actually print and store because for some reason they are either unaware of it or believe that it will never affect them.
Yeah, if my employer wants me to use a smartphone app, they better cough up a smartphone for me to use. I'm not installing anything work-related on my private one, because I am in no position to guarantee that I won't break it or lose it.
I've had pushback from the employer about this a few times, but in the end, there's nothing they can do.
The way to handle this situation that respects your space while minimizing conflict, is to have a second phone just for work only that they can mobile device manage to their heart's content with all their useless apps.
This means using one of your older devices for it if available, otherwise you can purchase the cheapest unlocked one sold at an outlet store and consider it a cost of doing business like clothing.
Depends on the security requirements and terms of employment. Where I work now, you’d get a hard token or work phone if you’re deemed as requiring a phone.
In the previous job, you were sent the form for 24x7 building access and were free to drive into work within the on-call response period. You were also reimbursed for your cell phone, that was the bronze handcuff.
Under current case law in the US, my understanding is that public ("operational realities" and reasonable suspicion tests) and private employers (fewer tests) have rights to audit any information on employer-compensated devices they wish (and have access to).
I only use a work phone for work business. If my work requires me to use a phone, I require a work phone.
Carrying two phones is a small price to pay to avoid worrying about an overzealous employer's IT staff.
MFA is supposed to be something you have in most cases, the phone is a weak proof of a line of phone service that has decreasingly diminished meaning over time.
NIST describes a framework for required authenticators for different levels of trust. It’s a good starting place for understanding what represents secure practices vs theater.
Well, yeah. Back in 1975, we weren't generally using our phones for authentication. The environment has changed and the security issues are far more important now.
Tell your workplace you're about to switch from carrying a phone to a landline: what is their fallback option? (It's about 50/50 whether they have one, but they definitely should.)