In my blog Your Pa$$word doesn't matter, I laid out the key password vulnerabilities, and in response to a gazillion “but other creds can be compromised, too” DMs and emails, I wrote All our creds ar...
Updated Nov 10, 2020
Version 1.0
Blog Post
This blog post is spot on and I appreciate having all the weaknesses lined up. However, the app is not the silver bullet replacement even though it is a good solution.
I agree with most comments about the app needing improvements to prevent users from being... users. Also the comments about a phone not always being an option is very true for our org. Our staff members often work in environments where mobile phones are strictly forbidden (meaning SMS is useless anyway). We also have the legal dilemma of requiring some staff to install an app for work on a personal device – far from everyone have a company issued phone. You will face issues on many levels when asking staff to do this.
As a result, I am still hoping to see a lot more investments in FIDO/hardware MFA capabilities. We are issuing OTP credit card style hardware tokens as an excellent option to the app (although expensive). However, the reliance on third party apps for programming/administration of these tokens can be made a lot smoother with better integrations in AAD. It should be equally easy to issue a hardware token as it is to issue the app.