Disallow usage of personal devices with MFA
The MFA features are great, but, for the account owner, some transparency into what form of MFA has been configured would be ideal.
Â
For instance, if the person adds SMS or a Voice Call feature, I think some employers would like to know/verify that the phone number associated with the account is a work number. That is, that the phone number is not for a personal device.
Â
Companies often enforce security policies on their own devices, so they may not want users adding personal devices. (Where security may not be as tight.)
Â
Disabling certain forms of MFA would also be useful, for the same reason. If a user adds Okta authentication, that form of MFA is only as secure as the phone it was added to.
Â
Further, if the account owner could configure MFA for the user, I think that would also be useful.
Â
Complete picture… I add a work cell phone number for SMS and voice for a new user I onboard, and disable Okta and Google Authenticator. (Because they can be installed on any device, and I don't have any control over the security of that device.)
Â
Thoughts?