Forum Discussion

luvsql's avatar
luvsql
Steel Contributor
Mar 09, 2021

MFA without a Cellphone

This is becoming a bigger issue more and more.  We cannot, as a company, require our Employees to use a personal cellphone to get text codes or install work apps to authenticate our work accounts.

 

We supply these users with a Business Voice license so they can make business calls and accept business calls.

 

All of our employees have corporately paid laptops running Windows 10 and all have SharePoint, Email, OneDrive, Teams etc.

 

Microsoft does not offer the authenticator app on Windows 10 so we can't use that method.

So what do we do?  Leave all these accounts vulnerable?  I've read about using "landlines" for authentication then Microsoft says that's not secure but then provides no guidance on exactly how we're supposed to do this.  

 

We cannot be expected to pay for a cellphone for all these users just to use one app. That's ridiculous.  

  • Westbrook215's avatar
    Westbrook215
    Copper Contributor
    Have you found a solution yet? I thought we could use SafeID OATH TOTP hardware tokens but in the MFA settings in Azure, when you select the method of notification 'hardware token' is combine with authenticator app. so you're still stuck with expecting users to have a smartphone whether it's their personal or work. Like you, we have users that do not have company smartphones and can't rely on their personal phones to authenticate.
    • luvsql's avatar
      luvsql
      Steel Contributor
      I bought a Yubikey 5 USB-C but have not had a chance yet to test it out. Hoping it works. It's expensive ($65 in Canada) but still cheaper than a cellphone plan.
      • Westbrook215's avatar
        Westbrook215
        Copper Contributor
        Deepnet Security SafeID classic token I was able to get a quote from them today. About $16 USD. I found a virtual token tool (https://www.token2.com/site/page/totp-toolset) to test with Azure and it works well. No need to go into the users MFA security information profile to configure anything, once you upload the CSV file and activate you're good to go.
  • Susan Alexander's avatar
    Susan Alexander
    Copper Contributor

    luvsql  Did you find a resolution?  We are in the exact same situation.  For a variety of reasons, telling employees that they MUST use their personal phones is going to create enormous issues and perhaps legal ones too (not sure of it in the US).  What if one forgets their smart phone one day?  They can't get to their business email all day long?  What if users have a work supplied smartphone but it is shared - can they still each use it for MFA?  As another poster mentioned, many of our users can't use their smartphones at work because of the way the building is constructed - no signal.  Our police officers are going to be out in their vehicles when accessing email - there is no way other than forcing to use their personal phones?  We have one phone number for the entire organization for land lines, we each have an extension from then on, is there a desk phone option that would work in that scenario?  Other posters have mentioned that in some countries, it is illegal to force employees to use their personal phones for business reasons.  Why didn't MS think this through?  Think about the REAL world?

     

    If anyone has heard anything from MS or has a valid solution without using third party options, we'd LOVE to hear from you!

    • luvsql's avatar
      luvsql
      Steel Contributor
      No solution. I tried a couple key solutions that didn't work and they are so small one was lost immediately and $50-$75 to replace. We've settled on using text on personal phones since it doesn't require an app to be installed and for some of our users that have a Teams Business Voice license, using their Teams number to authenticate. However, Teams may stop working if can't authenticate then the number stops working.

      If there is no cell signal then they could authenticate with wifi but that would require them to install the app so that's fine for our Employees we supply a phone to.

      Microsoft needs to start selling keys so we know they're legit and easy to use that we can purchase along with our licenses. They are way too complex and some aren't certified.
  • Danny69's avatar
    Danny69
    Brass Contributor
    I have found a workaround. If you register one of the primary methods (sms/call/app) then add a FIDO key, you can remove the primary method, leaving the FIDO key as the only method. Not ideal but it works...
  • Danny69's avatar
    Danny69
    Brass Contributor
    Software token = MS authenticator or equivalent mobile app
    • PJAngert005's avatar
      PJAngert005
      Copper Contributor

      Danny69 Except that both come back to being tied to a mobile device versus other software authentication, which defeats the point of the conversation.

    • sathiyatam26's avatar
      sathiyatam26
      Copper Contributor
      looking for 3rd party authenticator app, it should not open source
      Except MS authenticator because users are not allowing to user mobile phone
      • Thinker1800's avatar
        Thinker1800
        Copper Contributor

        sathiyatam26  luvsql 
        Has anyone found a solution for this problem? I am an employee and want to access MFA, but I seek to do so without using a personal cell phone.

  • PJAngert005's avatar
    PJAngert005
    Copper Contributor

    I don't understand why M$ can't provide a desktop app that provides the same service as the mobile one. Should be a slam dunk really.

  • it-lett's avatar
    it-lett
    Copper Contributor

    For at least some setups, it is possible to use a computer based OTP TOTP/otpauth based authentication system. Microsoft's MFA signup will give a QR code to transfer the "shared secret" to the Authentication App of your choice, and it will also have a "I can't scan the bar code" link that will lead to the "shared secret" that you need.

     

    For example, here are instructions on how to set up "OTP Manager" for Microsoft 365 from Laval university: https://www4.fsa.ulaval.ca/en/current-students/apti-help-desk/how-tos-tips/multifactor-authentication-mfa/#Adding-anothervalidationmethodwithOTPManager

     

    Additionally, many password manager programs (such as KeepassXC have TOTP generation built in, so if you give that software the "secret key" it can generate the needed codes. Here are instructions for KeepassXC:

     

    https://keepassxc.org/docs/KeePassXC_UserGuide.html#_adding_totp_to_an_entry

     

    I am using these methods to do MFA on two of my different Microsoft 365 accounts - one for a small company account, one for a university account. I don't think a cell phone was needed to set either up, but that was a while ago. I DO have a cell number as an alternative method, but I primarily use my password manager to generate the TOPT codes.

     

     

     

     

    • it-lett's avatar
      it-lett
      Copper Contributor
      Perhaps you could first set up an account using your cell phone, then add the FIDO2 key, then remove your cell phone?

      In any case this has inspired me to start setting up TOTP for all our new accounts. For new hires, I have been setting up a Keepass file for them with all their business password and other info (server accounts, MS account info, etc.) which can be read by a variety of software on various platforms (KeepassXC, Strongbox on macOS and iOS, Keepass2Android on Android, etc.) and each of these platforms can also generate TOTP keys when given the appropriate "shared secret". I think for the new hires I will get that info into their file right from the get-go and they can use it for MFA in addition or instead of the other methods available to them.
      • MadRegime's avatar
        MadRegime
        Copper Contributor
        Eventually I have managed to get it working to have the user setup a FIDO2 key with only the TAP/OTP as MFA method. The user can login with that TAP and register the FIDO2 key after that.

Resources