Depending on the 2FA, but yeah, it will leak your location if your 2FA app (like Microsoft Authenticator) collects it.
3 Likes
Thank you very much. I am actually using Microsoft AuthenticatorâŚ
Will pay attention to that !
I use a personal phone, not a company sanctioned phone. I have a device dedicated for 2factor that is NOT the phone I use day to day. On it, I use the Zerotier app, funnel all traffic through Zerotier (checkbox setting under configuration), and have a static route in Zerotier to funnel all the traffic back to my exit node router. I also have GPS spoofing enabled in developer mode. Microsoft Authenticator, Okta, Duo etc are 100% logging your IP when you 2fa in via the app, so you are for sure "leaking information". Additionally, they may or may not be scraping GPS information as well depending on the company. You will NEED to hide the IP address of said phone for sure in order to not leak that info. You will WANT to spoof you GPS just incase/peace of mind.
3 Likes
Thank you so much guys for your prompt and precise answers. My struggles those last 6 months made me learn a lot of new stuff that are super interesting.
I will buy a stock Android phone and get a GPS spoofing app as youâve mentioned. I am not quite sure if my IT department search for that type of info, but at least for peace of mind I will do that
So not freelancing any more? [MT3000] Seeking Assistance to Access Swiss IP from Egypt for Freelance Work
The issue isn't that they won't search for it â the issue is, that the used security software will raise an alert if something is odd. So if there is monitoring, they might know already.
If It would have been the case I would have had a eventual issues since a long time. I donât think they really care in my case, but better to be on safe side.
Just cover your laptop in tin foil and use an external keyboard lol. OrâŚ. Stop working for these awful companies.
2 Likes
Not to pick on you, but your every post has element of fear mongering. Ofcourse we know middle-class people have to follow all the rules and companies want to secure their networks to fraud and theft, but is there any data to show corporate theft has increased after Covid?
For the record, I work for S&P500 company. Serveral folks have been âcaughtâ working from overseas (with no protections). Theyâve been let off with warnings. Some have been warned twice.
I think employers already know most employees are not at designated locations. My employer requires people (even remote employees) be within 45 miles of office and they also know houses are $2 mil within that range. They (have to know) everyone is lying address on resume to get job. How can recruiters making $60k even afford to comply with that.
Everything is messed up. My buddy doing 3 day/week in office. Their employer negotiated big incentives from local govt before covid. They are using âuber-likeâ underground service which keep badges and they go and swipe them. Employer doesnât care, they just want incentives from county. Many employees are living few hundred miles away with their badges with these drivers.
So, Iâd argue in-office and hybrid work have much more fraud than remote work.
1 Like
It's not fear mongering. This is just information that I found out and I'm passing it on to anyone else. If you don't find it useful or think it's good for you, no problem. But this is a tactic that's being used.
1 Like
Good point. don't lie to your employeer or company you work in it.
Hi Goldsteinadj, Thanks for your info. Question, Can you share some insights about company DPI?
I also have a separate phone with only microsoft authenticator. I have it in flight mode and use an ethernet cable connected to the travel router with WG. luckley I almost never have to use it but laidley i got an error massively that it couldn't locate my (not supraing of course) however doing it your why does your method not raise a red flag because of spoofing configuration that gets detected by the authenticator?
Exactly 
Let's just close this topic? It's not going anywhere.
-
Be honest with your employer;
-
If the rules don't suit you, look for a different company.
1 Like
If your phone has an authenticator app beyond a generic TOTP you type in, and especially if your phone is managed by your employer in any way, it'll probably look suspicious if you go through the steps that would be necessary to make the phone look like you are in a place not close to where you want the phone to appear to be (e.g., the installation of GPS spoofing apps, not setting your phone's clock by the cell network time, having various radios disabled, etc.). That said, it took my firm's IT security about a year to bother to check in with me whether it was legitimately "me" connecting to their M365 services through Mullvad VPN on my phone, and I work for a fairly infosec-paranoid company (but I don't spoof my location).
1 Like
Thanks for sharing, good to know.
ps it's my private device.
I mean I got caught and received a warning. I was 90% sure I was getting fired but we have a hiring freeze so I guess they looked the other way. Here's my thread: MT1300 (Beryl) - OpenVPN Leak?
We're still not 100% sure how they caught me but I'm assuming it's because of a VPN leak though, not Wi-Fi scanning. I use a key fob authentication, so no GPS either.
How about asking for "workation" before booking? I'm doing that for 2.5 years now and as long as the work gets done nobody really cares (you have to take care of insurances and law related things). Some countries even get you arrested if they find that you are working without permission.
There are so many (easy) ways to get the real location of the equipment. Some OS do constant wifi-scans to adjust timezone settings.
If you really need to work from $somewhere, then leave the equipment at home and use a Remote KVM. Good news is that glinet will offer something for this later this year -> Comet (GL-RM1) - GL.iNet This works if you do not have to use your fingerprint to login.
I got totally lost trying to follow this - we have Sophos VPN with 2FA for remote work. It's a bit cumbersome, but it's reliable and does what it needs to do (basic RDP access). I originally thought this topic was talking about security issues for remote work, but it seems more like the OP wasn't working from where they told their employer they were located. I still don't see how that matters - if you put in the hours and get the job done, the whole point of remote work is being remote.
But if I understand correctly, this discussion has less to do with actual vpn security than it does some kind of personal issue between employer and employee.
Some GPS implementations use A-GPS. Assisted GPS also using surrounding SSID and GSM signals. Assisted GNSS - Wikipedia.
Wi-Fi positioning system - Wikipedia