Forum Discussion
MFA without a Cellphone
This is becoming a bigger issue more and more. We cannot, as a company, require our Employees to use a personal cellphone to get text codes or install work apps to authenticate our work accounts.
We supply these users with a Business Voice license so they can make business calls and accept business calls.
All of our employees have corporately paid laptops running Windows 10 and all have SharePoint, Email, OneDrive, Teams etc.
Microsoft does not offer the authenticator app on Windows 10 so we can't use that method.
So what do we do? Leave all these accounts vulnerable? I've read about using "landlines" for authentication then Microsoft says that's not secure but then provides no guidance on exactly how we're supposed to do this.
We cannot be expected to pay for a cellphone for all these users just to use one app. That's ridiculous.
102 Replies
MFA without personal cellphones is doable and more secure than SMS. Options to consider:
- FIDO2 security keys: Provide hardware keys (e.g., USB‑A/C, NFC) and enable passwordless sign‑in or MFA via Azure AD. Works on Windows laptops and the web, no phone required.
- Windows Hello for Business: If devices are Azure AD joined/hybrid joined, WHfB can be used for strong MFA or passwordless sign‑in tied to the device + PIN/biometrics.
- Desktop authenticator alternatives: Use the Microsoft Authenticator in a virtualized Android container only if policy allows, but prefer phishing‑resistant options above.
- Temporary access passes: For onboarding or exceptions, use TAP to bootstrap a user to WHfB or a FIDO2 key without needing a phone.
- Voice/SMS to desk phones: Possible but not recommended—susceptible to phishing and routing risks. Treat only as a fallback with strict conditional access.
Practical rollout path:
- Issue each user a FIDO2 key (keep a spare per user or per team).
- Turn on security defaults or Conditional Access requiring phishing‑resistant MFA (FIDO2 or WHfB).
- Enable Temporary Access Pass for initial enrollment.
- Document recovery: lost key process, break‑glass accounts, and helpdesk verification.
This avoids asking employees to use personal devices, increases security over SMS, and is manageable at scale with clear recovery procedures.
This is a common problem if you are not able to use hardware tokens then I strongly suggest considering using https://deepnetsecurity.com/products/programmable-tokens/.
A viable option would be to use the TOTP Authenticator from REINER SCT.
It's a simple device with a low-res camera and a TOTP generator. You scan the QR-Code once and then it can create a one-time-password every 30 seconds.
It kinda emulates a smartphone. Unlike WinAuth, which probably runs on the same PC as the Office 365 apps it is a real second factor. It can store 60 accounts. It has no USB interface for the PC and power is supplied via three micro (AAA) 1.5 V alkaline batteries.According to Token2 it must be possible to setup a FIDO2 key without any other MFA (Except from a TAP), but for me still no luck. Anyone already a proper solution? Microsoft Support cannot solve it either...
https://www.token2.com/site/page/office-365-protecting-user-accounts-with-fido2-keys-without-mfa?azure- Perhaps you could first set up an account using your cell phone, then add the FIDO2 key, then remove your cell phone?
In any case this has inspired me to start setting up TOTP for all our new accounts. For new hires, I have been setting up a Keepass file for them with all their business password and other info (server accounts, MS account info, etc.) which can be read by a variety of software on various platforms (KeepassXC, Strongbox on macOS and iOS, Keepass2Android on Android, etc.) and each of these platforms can also generate TOTP keys when given the appropriate "shared secret". I think for the new hires I will get that info into their file right from the get-go and they can use it for MFA in addition or instead of the other methods available to them.I like the hell out of this idea! How's this going a year later? Anything you'd change?
We're an agricultural manufacturer in North Dakota and I am the entire IT department here. I started getting these same warnings 5 days ago, so Security Defaults are going to be turned on in 10 days. I'm freaking out because we have people working here who don't even HAVE cell phone, and sales reps in the US and Canada. I'm fine if Security Defaults automatically configures to NOT prompt for MFA for anyone on-site (on the local network), but what about my sales reps? By the way, one of my sales reps has a old-school "feature" phone (aka not a smartphone) and is one of the guys who hates new technology.
Something tells me I'm between a rock and a hard place: Either I deal with the ridiculous fallout of forced MFA, or I pay extra to enable Conditional Access and simply turn off MFA across the board. UGH.I used a Token2 physical token (from a company in Switzerland) that essentially mimics a secondary Auth App (like google authenticator). When prompted for 2FA, you select alternate authenticator, you scan the QR code into their app, hold the token close to your cell phone and it basically transfers hash to the physical token. We did not have to upgrade our Azure accts to P1 or P2 because to Azure, you are using Google Authenticator and the like. Worked great for a user on the floor who didn't have a desk phone for office phone auth, and we don't allow cell phones on the production floor. Was quick and easy. You can Google Token2. There is at least one party who has them on Amazon.
Only issue is when the user is prompted, it tells them to put in their Auth App code. You just explain to them that it is asking for the number on the token, not something on their phone.
tfrain luvsql saucyknave Kidd_Ip it-lett why has noone suggested Authy? Works like a charm for me.
FIDO2 security keys may help
Azure Active Directory passwordless sign-in - Microsoft Entra | Microsoft Learn
For at least some setups, it is possible to use a computer based OTP TOTP/otpauth based authentication system. Microsoft's MFA signup will give a QR code to transfer the "shared secret" to the Authentication App of your choice, and it will also have a "I can't scan the bar code" link that will lead to the "shared secret" that you need.
For example, here are instructions on how to set up "OTP Manager" for Microsoft 365 from Laval university: https://www4.fsa.ulaval.ca/en/current-students/apti-help-desk/how-tos-tips/multifactor-authentication-mfa/#Adding-anothervalidationmethodwithOTPManager
Additionally, many password manager programs (such as KeepassXC have TOTP generation built in, so if you give that software the "secret key" it can generate the needed codes. Here are instructions for KeepassXC:
https://keepassxc.org/docs/KeePassXC_UserGuide.html#_adding_totp_to_an_entry
I am using these methods to do MFA on two of my different Microsoft 365 accounts - one for a small company account, one for a university account. I don't think a cell phone was needed to set either up, but that was a while ago. I DO have a cell number as an alternative method, but I primarily use my password manager to generate the TOPT codes.
I don't understand why M$ can't provide a desktop app that provides the same service as the mobile one. Should be a slam dunk really.
Yes, there is a way.
You can have Windows devices enrolled to Intune (MEM) and use OTP (One-time Password) and FIDO2 Keys. Just recently started down this path with a customer.
https://www.youtube.com/watch?v=OjfdFPIu2KI
- Software token = MS authenticator or equivalent mobile app
- looking for 3rd party authenticator app, it should not open source
Except MS authenticator because users are not allowing to user mobile phonesathiyatam26 luvsql
Has anyone found a solution for this problem? I am an employee and want to access MFA, but I seek to do so without using a personal cell phone.
Danny69 Except that both come back to being tied to a mobile device versus other software authentication, which defeats the point of the conversation.
- I have found a workaround. If you register one of the primary methods (sms/call/app) then add a FIDO key, you can remove the primary method, leaving the FIDO key as the only method. Not ideal but it works...
In our workplace we are unable to phones on the shopfloor for security reasons. We have implemented
OATH tokens
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-oath-tokens
We bought
Feitian OTP C200 Readers
https://www.amazon.co.uk/Feitian-OTP-C200-Reader-H41/dp/B01MSRAVXQ/ref=sr_1_1?crid=1KFIAO7D0828C&keywords=OTP+C200&qid=1668163095&sprefix=otp+c200%2Caps%2C1292&sr=8-1
Here is a video of the process we followed for importing the token details (which were supplied by the vendor in a csv file. we just needed to add the UPN details for the appropriate user \ reader )
https://www.youtube.com/watch?v=dPMUFd5HqQQ
You then simply turn on MFA for the user like you would normally as an administrator
When the user logs in, it will ask for the number off the token.
Solution works well and is surprisingly simple once you know how.
