Forum Discussion
Hardware tokens with modern authentication office 365
We are enabling Modern Authentication for our Office 365 users. Some of our users do not have a company cell phones and they do not want to use their personal cellphones.
Can we use hardware tokens for MFA if we do not have Azure MFA P1?
Hardware tokens is a verification option for MFA
Any idea how to set this up?
thank you
- Cian AllnerSilver Contributor
Hi, yes there is support for OATH hardware tokens but it does require extra licencing - OATH hardware tokens (public preview), with the announcement here - Hardware OATH tokens in Azure MFA in the cloud are now available (requires Azure AD Premium P1 or P2 license):
"We’ve had several phone-based methods available since launching Azure MFA, and we’ve seen incredible adoption. But many of our customers have users who don’t have a phone available when they need to authenticate. Today, MFA is available for those users too!"
Separately, there is support also for security keys for Azure AD with passwordless authentication, which is in preview but their use is rather limited at the moment.
"FIDO2 security keys are a great option for enterprises who are very security sensitive or have scenarios or employees who aren't willing or able to use their phone as a second factor."
You can see more here including the supported scenarios - Passwordless authentication options as well as the announcement - Announcing the public preview of Azure AD support for FIDO2-based passwordless sign-in. Haven't seen confirmation of this but this would probably require Azure AD Premium P1.
To be fair it would be just easier to get staff to use the Authenticator app, I understand the resistance after recently onboarding 600 users, I encountered something similar but usually, after explaining to staff, it wasn't an issue with using their personal device.
- Jeffery BirksCopper Contributor
Cian AllnerHardware oath tokens can indeed be used for Azure MFA in the cloud, but I did notice the link on the article for Deepnet Security points to the home page and you need to fish around before you find the correct page that specifically provides hardware tokens for office 365 and Azure MFA (see link) which lists the tokens that are available for users with Azure AD premium P1 or P1 licenses. If your users do not have a P1 or P2 license then they will need to use programmable tokens (such as Deepnet's SafeID/Diamond or the reprogrammable tokens from Token2).
Fido keys are also an option as you mention, but this option is more expensive.
Authenticator apps are indeed an alternative, but there are advantages to having self-contained devices that are independent of a users mobile phone.