Where do you draw the line? If the employer wants you to install a 2FA app on your phone, do you demand a separate phone or alternate 2FA device for that and mark yourself as a troublemaker? Or do you just do what 99.8% of the staff does and install the app?

My IT department and I fully support staff requesting YubiKeys, there’s no concept of being a “troublemaker” for having boundaries and respecting security requirements. I’d talk to your IT management if your company culture seems different, I bet the actual techs do not have an issue with this.

If its a standards compliant TOTP 2fa, I don't have any issue in adding those to my app.

If its the terrible MS authenticator or DUO, then get me a device.

> Where do you draw the line?

If they want me to have some "special device", they pay for the hardware for me to have said "special device".

My private phone is not for their use, ever.

I'm happy to be the "troublemaker". In my experience, one troublemaker can often recruit others to their cause.

One of the biggest banks in the US forces staff and contractors alike to install a proprietary 2fa app on their personal devices. if you can get a company phone, you can't finish activating the MDM, to install the company 2fa app, without first using that 2fa app on your personal device. Even a company yubikey can't be activated without the 2fa appp, which again, you can't get on a company device without first installing it on your personal device.

if the company wants to identify me by my phone, they have to take control over the phone. eg. a rooted android can screw with their app

that means they need to provide it

I would install the app on the shittiest iPhone backup i have (I must have like 10 iPhones by now, i dont sell old ones)

You can also perfectly use 2fa without a phone, unless your shitty company is using some shitty propietary 2fa, and even then, its just a "key" or "qr" they give you, that then you totally control and can use in mostly any 2fa compatible app, like Passwords. app from apple, 1Password, or Authy (RIP)

Installing shitty apps just cause your company tells you to is a great way to get your personal phone hacked too

Sames goes with all the MITM bullshit, If you want to install malware on my 6k macbook, you've gonna have to buy me your own "work macbook" for me to handle that shit. And i wont touch it for anything else than work. But installing spyware from work in my personal computer is a big NO NO.

Yes. That is where you draw the line. Work use of your personal device. Why is this so hard to imagine? If you're working somewhere where not donating resources to your employer means you are a troublemaker, it's time to find new work.

They can buy a USB Fido token. I've had this argument with employers in the past; some states have laws that require the employer compensate employees for requiring the use of their personal mobile device, even for something as simple as MFA. There's no such thing as a free lunch: if you want to require an employee do something, you must be willing to pay for that capability. Ethically, I think all employers should be held to this standard. Legally, anyone who employs people in California, Montana, and I think Massachusetts must be aware of that standard.