when is MFA, not?
Is a (Microsoft, in this case) MFA solution which uses your smartphone really MFA? I mean, if that same smartphone is the email reading device, it seems like the opportunity for compromise and exploit is higher than it would be with a separate MFA token/device.
Technical reasons aside, I agree it's pretty reprehensible for companies to assume (or require) employees use their personal computer/phone/etc. for access to corporate resources. $COMPANY has explicitly told the employees not to use company kit for personal files, email, etc., wouldn't you think the reverse would be (should be!) equally true.
Biting the hand that feeds IT
