Azure MFA (but dont always have a phone)?

We are working on deploying Azure MFA (cloud only). An interesting scenario has come up with users that don't have mobile phones. While the scenario rare, what is a user to do if (1) they don'...

Authentication

security

Neil Goldstein

Iron Contributor

Mar 22, 2018

Two things - it doesn't have to a be a mobile phone - it could be any predefined phone such as a landline.

I have customers where the 1st MFA phone is a users mobile, but the backup is the "Secretary" administrative assistant person.

The protocol is if UserX call the AA and gives a heads up that he (the AA ) will be getting a phone call from MSFT auth. The AA puts UserX on hold and checks with UserX boss or userX calendar to confirm that offsite and also tries to call user X to confirm no answer.

Then the AA tells UserX to go ahead and trigger Auth.

Cumbersome - but provides the some level of identification anti-spoofing verification.

The business could also look into providing a non-smart phone with a text only plan (aka pager).

There is also this for the "I forgot my phone at home" : https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next#one-time-bypass

VasilMichev
MVP
Mar 23, 2018
The bypass is server-only, read the description:

Spoiler

Allow a user to authenticate without performing two-step verification for a limited time. The bypass goes into effect immediately, and expires after the specified number of seconds. This feature only applies to MFA Server deployment.
- Dustin_Halvorson
  Steel Contributor
  Apr 13, 2018
  Why is bypass only for on-prem only? It seems like the cloud MFA admin capabilities are very limited.
  - VasilMichev
    MVP
    Apr 14, 2018
    That's a question you should be asking Microsoft :)

Forum Discussion

Azure MFA (but dont always have a phone)?

Resources