Forum Discussion
luvsql
Mar 09, 2021Steel Contributor
MFA without a Cellphone
This is becoming a bigger issue more and more. We cannot, as a company, require our Employees to use a personal cellphone to get text codes or install work apps to authenticate our work accounts.
We supply these users with a Business Voice license so they can make business calls and accept business calls.
All of our employees have corporately paid laptops running Windows 10 and all have SharePoint, Email, OneDrive, Teams etc.
Microsoft does not offer the authenticator app on Windows 10 so we can't use that method.
So what do we do? Leave all these accounts vulnerable? I've read about using "landlines" for authentication then Microsoft says that's not secure but then provides no guidance on exactly how we're supposed to do this.
We cannot be expected to pay for a cellphone for all these users just to use one app. That's ridiculous.
- Jeff_BirksCopper Contributor
This is a common problem if you are not able to use hardware tokens then I strongly suggest considering using programmable hardware tokens.
- phergetCopper Contributor
A viable option would be to use the TOTP Authenticator from REINER SCT.
It's a simple device with a low-res camera and a TOTP generator. You scan the QR-Code once and then it can create a one-time-password every 30 seconds.
It kinda emulates a smartphone. Unlike WinAuth, which probably runs on the same PC as the Office 365 apps it is a real second factor. It can store 60 accounts. It has no USB interface for the PC and power is supplied via three micro (AAA) 1.5 V alkaline batteries. - MadRegimeCopper Contributor
According to Token2 it must be possible to setup a FIDO2 key without any other MFA (Except from a TAP), but for me still no luck. Anyone already a proper solution? Microsoft Support cannot solve it either...
https://www.token2.com/site/page/office-365-protecting-user-accounts-with-fido2-keys-without-mfa?azure- it-lettCopper ContributorPerhaps you could first set up an account using your cell phone, then add the FIDO2 key, then remove your cell phone?
In any case this has inspired me to start setting up TOTP for all our new accounts. For new hires, I have been setting up a Keepass file for them with all their business password and other info (server accounts, MS account info, etc.) which can be read by a variety of software on various platforms (KeepassXC, Strongbox on macOS and iOS, Keepass2Android on Android, etc.) and each of these platforms can also generate TOTP keys when given the appropriate "shared secret". I think for the new hires I will get that info into their file right from the get-go and they can use it for MFA in addition or instead of the other methods available to them.- triwynCopper Contributor
I like the hell out of this idea! How's this going a year later? Anything you'd change?
- saucyknaveCopper Contributor
We're an agricultural manufacturer in North Dakota and I am the entire IT department here. I started getting these same warnings 5 days ago, so Security Defaults are going to be turned on in 10 days. I'm freaking out because we have people working here who don't even HAVE cell phone, and sales reps in the US and Canada. I'm fine if Security Defaults automatically configures to NOT prompt for MFA for anyone on-site (on the local network), but what about my sales reps? By the way, one of my sales reps has a old-school "feature" phone (aka not a smartphone) and is one of the guys who hates new technology.
Something tells me I'm between a rock and a hard place: Either I deal with the ridiculous fallout of forced MFA, or I pay extra to enable Conditional Access and simply turn off MFA across the board. UGH.- tfrainCopper Contributor
I used a Token2 physical token (from a company in Switzerland) that essentially mimics a secondary Auth App (like google authenticator). When prompted for 2FA, you select alternate authenticator, you scan the QR code into their app, hold the token close to your cell phone and it basically transfers hash to the physical token. We did not have to upgrade our Azure accts to P1 or P2 because to Azure, you are using Google Authenticator and the like. Worked great for a user on the floor who didn't have a desk phone for office phone auth, and we don't allow cell phones on the production floor. Was quick and easy. You can Google Token2. There is at least one party who has them on Amazon.
Only issue is when the user is prompted, it tells them to put in their Auth App code. You just explain to them that it is asking for the number on the token, not something on their phone.
- louis2againCopper Contributor
tfrain luvsql saucyknave Kidd_Ip it-lett why has noone suggested Authy? Works like a charm for me.
FIDO2 security keys may help
Azure Active Directory passwordless sign-in - Microsoft Entra | Microsoft Learn
- it-lettCopper Contributor
For at least some setups, it is possible to use a computer based OTP TOTP/otpauth based authentication system. Microsoft's MFA signup will give a QR code to transfer the "shared secret" to the Authentication App of your choice, and it will also have a "I can't scan the bar code" link that will lead to the "shared secret" that you need.
For example, here are instructions on how to set up "OTP Manager" for Microsoft 365 from Laval university: https://www4.fsa.ulaval.ca/en/current-students/apti-help-desk/how-tos-tips/multifactor-authentication-mfa/#Adding-anothervalidationmethodwithOTPManager
Additionally, many password manager programs (such as KeepassXC have TOTP generation built in, so if you give that software the "secret key" it can generate the needed codes. Here are instructions for KeepassXC:
https://keepassxc.org/docs/KeePassXC_UserGuide.html#_adding_totp_to_an_entry
I am using these methods to do MFA on two of my different Microsoft 365 accounts - one for a small company account, one for a university account. I don't think a cell phone was needed to set either up, but that was a while ago. I DO have a cell number as an alternative method, but I primarily use my password manager to generate the TOPT codes.
- PJAngert005Copper Contributor
I don't understand why M$ can't provide a desktop app that provides the same service as the mobile one. Should be a slam dunk really.
- Christopher KnoerzerCopper Contributor
Yes, there is a way.
You can have Windows devices enrolled to Intune (MEM) and use OTP (One-time Password) and FIDO2 Keys. Just recently started down this path with a customer.
- Danny69Brass ContributorSoftware token = MS authenticator or equivalent mobile app
- sathiyatam26Copper Contributorlooking for 3rd party authenticator app, it should not open source
Except MS authenticator because users are not allowing to user mobile phone- Thinker1800Copper Contributor
sathiyatam26 luvsql
Has anyone found a solution for this problem? I am an employee and want to access MFA, but I seek to do so without using a personal cell phone.
- PJAngert005Copper Contributor
Danny69 Except that both come back to being tied to a mobile device versus other software authentication, which defeats the point of the conversation.
- Danny69Brass ContributorI have found a workaround. If you register one of the primary methods (sms/call/app) then add a FIDO key, you can remove the primary method, leaving the FIDO key as the only method. Not ideal but it works...
- David_2468Copper Contributor
In our workplace we are unable to phones on the shopfloor for security reasons. We have implemented
OATH tokens
We bought
Feitian OTP C200 Readers
Here is a video of the process we followed for importing the token details (which were supplied by the vendor in a csv file. we just needed to add the UPN details for the appropriate user \ reader )
https://www.youtube.com/watch?v=dPMUFd5HqQQ
You then simply turn on MFA for the user like you would normally as an administrator
When the user logs in, it will ask for the number off the token.
Solution works well and is surprisingly simple once you know how.
- Susan AlexanderCopper Contributor
luvsql Did you find a resolution? We are in the exact same situation. For a variety of reasons, telling employees that they MUST use their personal phones is going to create enormous issues and perhaps legal ones too (not sure of it in the US). What if one forgets their smart phone one day? They can't get to their business email all day long? What if users have a work supplied smartphone but it is shared - can they still each use it for MFA? As another poster mentioned, many of our users can't use their smartphones at work because of the way the building is constructed - no signal. Our police officers are going to be out in their vehicles when accessing email - there is no way other than forcing to use their personal phones? We have one phone number for the entire organization for land lines, we each have an extension from then on, is there a desk phone option that would work in that scenario? Other posters have mentioned that in some countries, it is illegal to force employees to use their personal phones for business reasons. Why didn't MS think this through? Think about the REAL world?
If anyone has heard anything from MS or has a valid solution without using third party options, we'd LOVE to hear from you!
- luvsqlSteel ContributorNo solution. I tried a couple key solutions that didn't work and they are so small one was lost immediately and $50-$75 to replace. We've settled on using text on personal phones since it doesn't require an app to be installed and for some of our users that have a Teams Business Voice license, using their Teams number to authenticate. However, Teams may stop working if can't authenticate then the number stops working.
If there is no cell signal then they could authenticate with wifi but that would require them to install the app so that's fine for our Employees we supply a phone to.
Microsoft needs to start selling keys so we know they're legit and easy to use that we can purchase along with our licenses. They are way too complex and some aren't certified.- Susan AlexanderCopper Contributor😞
I saw this https://services.mnsu.edu/TDClient/30/Portal/KB/ArticleDet?ID=114
and wonder how to configure on the admin side to get the option for Office phone. It seems to have the option to enter an extension which is what we would need. That would take care of the majority of our users. Looking through MS documentation, I don't see anything regarding this Office phone option.