MFA without a Cellphone

MFA without personal cellphones is doable and more secure than SMS. Options to consider:

• FIDO2 security keys: Provide hardware keys (e.g., USB‑A/C, NFC) and enable passwordless sign‑in or MFA via Azure AD. Works on Windows laptops and the web, no phone required.
• Windows Hello for Business: If devices are Azure AD joined/hybrid joined, WHfB can be used for strong MFA or passwordless sign‑in tied to the device + PIN/biometrics.
• Desktop authenticator alternatives: Use the Microsoft Authenticator in a virtualized Android container only if policy allows, but prefer phishing‑resistant options above.
• Temporary access passes: For onboarding or exceptions, use TAP to bootstrap a user to WHfB or a FIDO2 key without needing a phone.
• Voice/SMS to desk phones: Possible but not recommended—susceptible to phishing and routing risks. Treat only as a fallback with strict conditional access.

Practical rollout path:

1. Issue each user a FIDO2 key (keep a spare per user or per team).
2. Turn on security defaults or Conditional Access requiring phishing‑resistant MFA (FIDO2 or WHfB).
3. Enable Temporary Access Pass for initial enrollment.
4. Document recovery: lost key process, break‑glass accounts, and helpdesk verification.

This avoids asking employees to use personal devices, increases security over SMS, and is manageable at scale with clear recovery procedures.