Forum Discussion

Brent Ellis's avatar
Brent Ellis
Silver Contributor
Mar 21, 2018

Azure MFA (but dont always have a phone)?

We are working on deploying Azure MFA (cloud only).

 

An interesting scenario has come up with users that don't have mobile phones.  While the scenario rare, what is a user to do if (1) they don't have a mobile phone and (2) they are not in a trusted IP location?

 

Same thing could apply if the user forgot their phone at home and was at a customer site, etc. 

 

Does basic Azure MFA have any extra work around at this point in time?

  • office's avatar
    office
    Copper Contributor

    Hi Brent,

    For users not having (or not willing to use their own) mobile phones, the solution is to use hardware tokens. MFA Server on-prem is allowing to use standard OATH TOTP tokens, however, with Cloud MFA the only solution is the programmable tokens.

     

    Regards,

    Guy

     

    Disclaimer: I am affiliated with Token2

     

     

     

     

  • Two things - it doesn't have to a be a mobile phone - it could be any predefined phone such as a landline.

     

    I have customers where the 1st MFA phone is a users mobile, but the backup is the "Secretary" administrative assistant person.

    The protocol is if UserX call the AA and gives a heads up that he (the AA ) will be getting a phone call from MSFT auth. The AA puts UserX on hold and checks with UserX boss or userX calendar to confirm that offsite and also tries to call user X to confirm no answer.

     

    Then the AA tells UserX to go ahead and trigger Auth.

     

    Cumbersome - but provides the some level of identification anti-spoofing verification.

     

    The business could also look into providing a non-smart phone with a text only plan (aka pager). 

     

    There is also this for the "I forgot my phone at home" : https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next#one-time-bypass

     

     

    • VasilMichev's avatar
      VasilMichev
      MVP

      The bypass is server-only, read the description:

       

      Spoiler
      Allow a user to authenticate without performing two-step verification for a limited time. The bypass goes into effect immediately, and expires after the specified number of seconds. This feature only applies to MFA Server deployment.

       

      • Dustin_Halvorson's avatar
        Dustin_Halvorson
        Steel Contributor

        Why is bypass only for on-prem only?  It seems like the cloud MFA admin capabilities are very limited.

  • You can configure an alternative phone, but apart from that, no. The On-Prem version has a bypass option and alternative method via security questions, this is not yet available for Azure MFA (but I believe it's coming).

    • Brent Ellis's avatar
      Brent Ellis
      Silver Contributor
      hope so thanks.

      I dont suppose services like Azure MFA post a roadmap like other O365 services, i've yet to find one at least.
      • VasilMichev's avatar
        VasilMichev
        MVP

        Havent seen any roadmap either, just the occasional hint for a new feature...

Resources