Forum Discussion

JamesRV's avatar
JamesRV
Brass Contributor
Jul 15, 2021

MS Authenticator Programming

Anyone know how to use MS Authenticator Code in a programmatic way to authenticate users.  Here is the scenario:
  1. User calls helpdesk on resetting password (we do have SSPR, but there are some who still call )
  2. Agent asks the user to read the code from their authenticator app
  3. Agent types it on a custom screen or any available screen from AAD
  4. Once validated we provide temporary passcode
  • pvanberlo's avatar
    pvanberlo
    Steel Contributor
    TOTP works based on shared secrets, so unless you have these shared secrets, you will not be able to validate the user at all. They cannot be programmatically retrieved either.

    If there is no other way to "authenticate" a user based on personal or company information, you might consider setting up a system where the user selects a short "code word or phrase" which is stored securely. Only if the user can provide this specific code word or phrase, you will be able to determine if the user is who the user claims to be. As a 2nd option, perhaps this can be completed based on a second MFA code using SMS and a registered phonenumber.
    • JamesRV's avatar
      JamesRV
      Brass Contributor
      These are our AAD users so we do know them I am trying to stay away from Knowledge based verification and use the security code displayed on Authenticator app as the additional factor before we can reset user password.
      • LindaK605's avatar
        LindaK605
        Copper Contributor

        JamesRV Did you find an answer to your request yet? I'm facing exactly the same demand at the moment and am looking for a way how to deal with an authentication method for our users agains the helpdesk.

Resources