Forum Discussion
MFA without a Cellphone
This is becoming a bigger issue more and more. We cannot, as a company, require our Employees to use a personal cellphone to get text codes or install work apps to authenticate our work accounts. ...
I have researched this pretty extensively for a customer and here are the challenges we have to overcome:
1. Customer does not want AD FS, so we chose to go with Pass-Through Authentication as an alternative.
2. They have a stand-alone CA, bad practice, but it is what we are working with
3. Moving to a pure cloud infrastructure, Azure IaaS, Azure AD with Synchronized Identities
4. Wants to have MFA at the device level and for M365 Services
Here are a couple options I presented to the customer:
First, I presented Cloud Trust Setup for Windows Hello for Business (WHfB). https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust
This would allow the customer to deploy FIDO2 Keys like Yubikey to the employees, but would still require the initial setup of MFA in Azure AD (MS Authenticator App, Text, etc...)
The second option is setup the environment to handle Yubikey deplpoyment, https://support.yubico.com/hc/en-us/articles/360015654500-Setting-up-Windows-Server-for-YubiKey-PIV-Authentication, but would require AD FS for authentication for M365 services. This is not too big of an issue for the customer because they require a connection to their network prior to login, so authentication hits the DCs. Mind you, most of the organization is remote, but would still cause the requirement to setup AD FS which the customer does not want.
Third option is the Key Trust model for Windows Hello for Business, https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust, similar to option two, but still need AD FS.
So, to conclude, the customer either needs to accept the deployment of AD FS in their environment which can enforce MFA with cert based authentication, OR Deploy the Cloud Trust Model which is still in preview, OR KeyTrust Model and still need people to register a device for text or MS Auth app.
Unfortunately I have not been able to find any other options, but hope this helps your situation.
1. Customer does not want AD FS, so we chose to go with Pass-Through Authentication as an alternative.
2. They have a stand-alone CA, bad practice, but it is what we are working with
3. Moving to a pure cloud infrastructure, Azure IaaS, Azure AD with Synchronized Identities
4. Wants to have MFA at the device level and for M365 Services
Here are a couple options I presented to the customer:
First, I presented Cloud Trust Setup for Windows Hello for Business (WHfB). https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust
This would allow the customer to deploy FIDO2 Keys like Yubikey to the employees, but would still require the initial setup of MFA in Azure AD (MS Authenticator App, Text, etc...)
The second option is setup the environment to handle Yubikey deplpoyment, https://support.yubico.com/hc/en-us/articles/360015654500-Setting-up-Windows-Server-for-YubiKey-PIV-Authentication, but would require AD FS for authentication for M365 services. This is not too big of an issue for the customer because they require a connection to their network prior to login, so authentication hits the DCs. Mind you, most of the organization is remote, but would still cause the requirement to setup AD FS which the customer does not want.
Third option is the Key Trust model for Windows Hello for Business, https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust, similar to option two, but still need AD FS.
So, to conclude, the customer either needs to accept the deployment of AD FS in their environment which can enforce MFA with cert based authentication, OR Deploy the Cloud Trust Model which is still in preview, OR KeyTrust Model and still need people to register a device for text or MS Auth app.
Unfortunately I have not been able to find any other options, but hope this helps your situation.
- Here is a solution to this issue.
https://www.youtube.com/watch?v=OjfdFPIu2KI- Do we HAVE to go passwordless for this to work? We have to pre-setup all of our users and their PCs and apps and have to have a password for this to work.
