Company Considers Mandatory MFA on Personal Phones

The author of the post indicates that, following recent events in the United Kingdom, their company wishes to strengthen its cybersecurity posture. Management is considering mandating the use of application-based multi-factor authentication (MFA), abandoning the use of SMS. Since the majority of employees do not have company-issued phones, they would be required to download and use an authentication app of their choice, such as Microsoft, Google, or Authy. The author questions whether this measure is legal.