Either way is a terrible practice. Work devices for work and personal devices for home, and never the twain shall meet. Your company’s IT department should insist!
The terrible practice is using Slack for anything important.
Edit: practically, the line is getting more and more blurry. I have to install (multiple, ugh) MFA apps on my phone in order to authenticate to various work services. I've always been a strict work/personal separation devotee, but short of buying and carrying a separate phone, it's difficult.
MFA apps are only work thing on my personal phone. Nothing else work related lives there...
This might actually be even more secure way as on my work laptop there is no personal things. Very rarely I might pay for a train ticket, but that is it.
So MFA is separate from accounts and passwords. Meaning both would need to be compromised at same time...
Just set up another user on your phone and switch to that for work stuff. I have a whole seperate user area with work stuff installed, emails, teams etc.
It's good as it means I can access work stuff when I need to but there's no risk of me getting notifications or seeing work stuff outside of work hours unless I specifically switch into the account.
This is how I do it and it works. It's a royal pain in the ass to switch profile all the time since our VPN has an aggressive idle timeout that boots you off. But... It's very nice to have that clean separation.
Nice idea in theory, impossible to make a strict rule in practice.
It starts with the two-factor authentication. Why spend $25 per employee on a yubikey, or several hundred bucks per employee on a company smartphone, when they can use their personal smartphone for free?
Then it's the business travellers, some of whom are very senior people. The CTO is spending the night in a hotel for work, it's well outside of work hours, he'd like to log into his personal netflix account on his work laptop.
Then it's the all-hands meeting about the big reorg - 9am US time, but 8pm for the team in Poland. Of course they're not going to stay in the office to watch that on company equipment, frankly they're doing us a favour by watching it at all.
Then the people wearing headphones in the office want to connect to spotify....
IMHO any large company whose security strategy relies on nobody doing work on a personal device or personal stuff on a work device is destined for failure. You can follow the rule yourself if that's your preference - but if you try to make it mandatory and enforce it effectively, you'll find there are a lot of stakeholders who are unhappy about it...
> IMHO any large company whose security strategy relies on nobody doing work on a personal device or personal stuff on a work device is destined for failure
Every place I've worked for ~25 years has restricted the installation of software on work devices. If the CTO wants to watch netflix, they'd need to take their own laptop or use their phone. Same with Spotify at work.
There has been more allowance for accessing work resources from personal devices in some orgs, though in many places that has also been strictly banned. At my current place, Slack sits in a grey zone where we use it for work but have to maintain discipline around what we discuss. IMO we shouldn't be using it at all.
MFA is almost a separate category - while technically "work stuff" it is reducing attack vectors rather than increasing them.
