Forum Discussion
MFA without a Cellphone
This is becoming a bigger issue more and more. We cannot, as a company, require our Employees to use a personal cellphone to get text codes or install work apps to authenticate our work accounts.
We supply these users with a Business Voice license so they can make business calls and accept business calls.
All of our employees have corporately paid laptops running Windows 10 and all have SharePoint, Email, OneDrive, Teams etc.
Microsoft does not offer the authenticator app on Windows 10 so we can't use that method.
So what do we do? Leave all these accounts vulnerable? I've read about using "landlines" for authentication then Microsoft says that's not secure but then provides no guidance on exactly how we're supposed to do this.
We cannot be expected to pay for a cellphone for all these users just to use one app. That's ridiculous.
- Westbrook215Copper ContributorHave you found a solution yet? I thought we could use SafeID OATH TOTP hardware tokens but in the MFA settings in Azure, when you select the method of notification 'hardware token' is combine with authenticator app. so you're still stuck with expecting users to have a smartphone whether it's their personal or work. Like you, we have users that do not have company smartphones and can't rely on their personal phones to authenticate.
- luvsqlSteel ContributorI bought a Yubikey 5 USB-C but have not had a chance yet to test it out. Hoping it works. It's expensive ($65 in Canada) but still cheaper than a cellphone plan.
- Westbrook215Copper ContributorDeepnet Security SafeID classic token I was able to get a quote from them today. About $16 USD. I found a virtual token tool (https://www.token2.com/site/page/totp-toolset) to test with Azure and it works well. No need to go into the users MFA security information profile to configure anything, once you upload the CSV file and activate you're good to go.
- Susan AlexanderCopper Contributor
luvsql Did you find a resolution? We are in the exact same situation. For a variety of reasons, telling employees that they MUST use their personal phones is going to create enormous issues and perhaps legal ones too (not sure of it in the US). What if one forgets their smart phone one day? They can't get to their business email all day long? What if users have a work supplied smartphone but it is shared - can they still each use it for MFA? As another poster mentioned, many of our users can't use their smartphones at work because of the way the building is constructed - no signal. Our police officers are going to be out in their vehicles when accessing email - there is no way other than forcing to use their personal phones? We have one phone number for the entire organization for land lines, we each have an extension from then on, is there a desk phone option that would work in that scenario? Other posters have mentioned that in some countries, it is illegal to force employees to use their personal phones for business reasons. Why didn't MS think this through? Think about the REAL world?
If anyone has heard anything from MS or has a valid solution without using third party options, we'd LOVE to hear from you!
- luvsqlSteel ContributorNo solution. I tried a couple key solutions that didn't work and they are so small one was lost immediately and $50-$75 to replace. We've settled on using text on personal phones since it doesn't require an app to be installed and for some of our users that have a Teams Business Voice license, using their Teams number to authenticate. However, Teams may stop working if can't authenticate then the number stops working.
If there is no cell signal then they could authenticate with wifi but that would require them to install the app so that's fine for our Employees we supply a phone to.
Microsoft needs to start selling keys so we know they're legit and easy to use that we can purchase along with our licenses. They are way too complex and some aren't certified.- Susan AlexanderCopper Contributor😞
I saw this https://services.mnsu.edu/TDClient/30/Portal/KB/ArticleDet?ID=114
and wonder how to configure on the admin side to get the option for Office phone. It seems to have the option to enter an extension which is what we would need. That would take care of the majority of our users. Looking through MS documentation, I don't see anything regarding this Office phone option.
- Danny69Brass ContributorI have found a workaround. If you register one of the primary methods (sms/call/app) then add a FIDO key, you can remove the primary method, leaving the FIDO key as the only method. Not ideal but it works...
- David_2468Copper Contributor
In our workplace we are unable to phones on the shopfloor for security reasons. We have implemented
OATH tokens
We bought
Feitian OTP C200 Readers
Here is a video of the process we followed for importing the token details (which were supplied by the vendor in a csv file. we just needed to add the UPN details for the appropriate user \ reader )
https://www.youtube.com/watch?v=dPMUFd5HqQQ
You then simply turn on MFA for the user like you would normally as an administrator
When the user logs in, it will ask for the number off the token.
Solution works well and is surprisingly simple once you know how.
- Danny69Brass ContributorSoftware token = MS authenticator or equivalent mobile app
- PJAngert005Copper Contributor
Danny69 Except that both come back to being tied to a mobile device versus other software authentication, which defeats the point of the conversation.
- sathiyatam26Copper Contributorlooking for 3rd party authenticator app, it should not open source
Except MS authenticator because users are not allowing to user mobile phone- Thinker1800Copper Contributor
sathiyatam26 luvsql
Has anyone found a solution for this problem? I am an employee and want to access MFA, but I seek to do so without using a personal cell phone.
- PJAngert005Copper Contributor
I don't understand why M$ can't provide a desktop app that provides the same service as the mobile one. Should be a slam dunk really.
- Christopher KnoerzerCopper Contributor
Yes, there is a way.
You can have Windows devices enrolled to Intune (MEM) and use OTP (One-time Password) and FIDO2 Keys. Just recently started down this path with a customer.
- it-lettCopper Contributor
For at least some setups, it is possible to use a computer based OTP TOTP/otpauth based authentication system. Microsoft's MFA signup will give a QR code to transfer the "shared secret" to the Authentication App of your choice, and it will also have a "I can't scan the bar code" link that will lead to the "shared secret" that you need.
For example, here are instructions on how to set up "OTP Manager" for Microsoft 365 from Laval university: https://www4.fsa.ulaval.ca/en/current-students/apti-help-desk/how-tos-tips/multifactor-authentication-mfa/#Adding-anothervalidationmethodwithOTPManager
Additionally, many password manager programs (such as KeepassXC have TOTP generation built in, so if you give that software the "secret key" it can generate the needed codes. Here are instructions for KeepassXC:
https://keepassxc.org/docs/KeePassXC_UserGuide.html#_adding_totp_to_an_entry
I am using these methods to do MFA on two of my different Microsoft 365 accounts - one for a small company account, one for a university account. I don't think a cell phone was needed to set either up, but that was a while ago. I DO have a cell number as an alternative method, but I primarily use my password manager to generate the TOPT codes.
FIDO2 security keys may help
Azure Active Directory passwordless sign-in - Microsoft Entra | Microsoft Learn
- MadRegimeCopper Contributor
According to Token2 it must be possible to setup a FIDO2 key without any other MFA (Except from a TAP), but for me still no luck. Anyone already a proper solution? Microsoft Support cannot solve it either...
https://www.token2.com/site/page/office-365-protecting-user-accounts-with-fido2-keys-without-mfa?azure- it-lettCopper ContributorPerhaps you could first set up an account using your cell phone, then add the FIDO2 key, then remove your cell phone?
In any case this has inspired me to start setting up TOTP for all our new accounts. For new hires, I have been setting up a Keepass file for them with all their business password and other info (server accounts, MS account info, etc.) which can be read by a variety of software on various platforms (KeepassXC, Strongbox on macOS and iOS, Keepass2Android on Android, etc.) and each of these platforms can also generate TOTP keys when given the appropriate "shared secret". I think for the new hires I will get that info into their file right from the get-go and they can use it for MFA in addition or instead of the other methods available to them.- MadRegimeCopper ContributorEventually I have managed to get it working to have the user setup a FIDO2 key with only the TAP/OTP as MFA method. The user can login with that TAP and register the FIDO2 key after that.
- Jeff_BirksCopper Contributor
This is a common problem if you are not able to use hardware tokens then I strongly suggest considering using programmable hardware tokens.