Forum Discussion
Use FIDO2 as MFA token
We are trying to replace the need to have a phone number (cellphone or office phone or authenticator app) for many of our users that refuse to use a personal phone for authentication. This is also for those users we need to setup their PC ahead of time so will not have their personal cellphones with us to authenticate during all of the setup.
We do not have P2 licenses so I cannot see a way to disable the MFA during registration (ie after we authenticate the user to Azure AD it requires the setup).
We purchased a FIDO2 USB and have enabled it in Azure but that seems to only be for passwordless security and we're still getting prompted to setup MFA. There is no option in the MFA dropdown for FIDO2 so I'm clearly missing something.
For users that will not have cellphone to authenticate to, can we configure the user to override the registration policy and only use the FIDO2 USB key if we don't have a P2 license (the option to disable the policy is greyed out)?
If we have to use a P2, can we only upgrade our Global Admin accounts to set tenant wide settings or will we literally have to upgrade every user to a P2 (which will cost us an extra $25,000 a year and is way over kill for our needs)?
We want to be secure but we don't want to have to pay $25,000 to do so. We've not had this issue when we were AD Hybrid but that local server is being tossed when we move.
luvsql Hello again, I had to try it using security defaults as I'm pretty sure you're using that. You have no Intune, Conditional access or MFA registration policy in your subscriptions.
So, when simply using security defaults with enforced MFA you get the prompt to add security info/details, and can skip this for 14 days. When enabling the Temporary Access Pass policy and activating that for a newly created user in Azure AD it instead becomes the first prompt.
This is how it looks like and takes you to https://aka.ms/mysecurityinfo page where one can configure additional options, such as the security key. I could not proceed as I do not have a key to put in the laptop.
*My reply is being updated as you can actually use TAP to add a security key (as the pictures show) with security defaults. For the sake of it I even asked Microsoft who verified the method.
To wrap up the above.
1. Enable security defaults.
2. Enable TAP and assign to user.
3. User logs in using TAP and adds FIDO2 key.
4. Next sign-in when prompted for MFA user uses FIDO2 key (as FIDO2 satisfies MFA).
luvsql Hello, it sounds to me as if you should use the (preview) Temporary Access Pass feature.
- luvsqlSteel ContributorI researched that as well but it seems to be different than the Registration Policy that occurs when a new device gets authenticated to Azure (ie this happens on the device and not during login).
luvsql I think I need more detailed information. What subscription do you have today? AAD P1 using CA or simply Security defaults with enforced MFA for all users? Intune and enrollment involved? What registration policy do you refer to? Can't be the MFA registration policy at least as that part of AAD P2.
The TAP is for the FIDO2 scenarios as yours making it possible to add a key to the dropdown, where it's missing right now. FIDO2 satisfy MFA but cannot be used as a second factor (at least not yet as far as I know).
Give it a try?
Temporary Access Pass is now in public preview - Microsoft Tech Community
- JonasBackSteel ContributorJust a tought, may not be a pretty one but instead of FIDO2 USB key, have you considered buying them the cheapest Android phone just for Authenticator? They don't even need a cell phone subscription since they can do fine with WiFi or even without it after registration and use the 30 seconds rolling random number.
- luvsqlSteel ContributorA cheap Android phone comes with a monthly contract of a minimum of $30 per month in Canada so that's $720 per Employee for each contract with the carrier.
- Jack_Chen1780Brass ContributorIf it's just for authentication, then as long as you can install Microsoft Authenticator, you don't need any mobile/data plan?
Since Microsoft Authenticator can work on WIFI for Push notification; and when there is no Internet, you can use OTP.
There is another mystery for me for Azure AD license. The document seems indicate if you don't have a P1 license, then the only option to allow MFA for none-admin user is to use "security defaults". But my test shows even without Premium license, I can still enable MFA per user bases. The only difference is the user without Premium license can only use Microsoft Authenticator for MFA, they can't use SMS/phone call options.
- Jeff_BirksCopper ContributorIf you don't have a p1/p2, then for users without mobile phones then you could also consider using programmable hardware tokens (e.g. SafeID/Diamond) as a direct replacement for the authenticator app (you will need to program them using the QR code for an alternative authenticator).