cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MFA without a Cellphone

luvsql
Steel Contributor

‎Mar 09 2021 12:51 PM

‎Mar 09 2021 12:51 PM

MFA without a Cellphone

This is becoming a bigger issue more and more.  We cannot, as a company, require our Employees to use a personal cellphone to get text codes or install work apps to authenticate our work accounts.

 

We supply these users with a Business Voice license so they can make business calls and accept business calls.

 

All of our employees have corporately paid laptops running Windows 10 and all have SharePoint, Email, OneDrive, Teams etc.

 

Microsoft does not offer the authenticator app on Windows 10 so we can't use that method.

So what do we do?  Leave all these accounts vulnerable?  I've read about using "landlines" for authentication then Microsoft says that's not secure but then provides no guidance on exactly how we're supposed to do this.  

 

We cannot be expected to pay for a cellphone for all these users just to use one app. That's ridiculous.  

Labels:
237K Views
5 Likes
95 Replies
Reply
95 Replies
Vicks1x365

‎Mar 09 2021 01:03 PM

‎Mar 09 2021 01:03 PM

Re: MFA without a Cellphone

I guess there is option to receive code in "TEXT" or in another "email address".
0 Likes
Reply
luvsql

‎Mar 09 2021 01:04 PM

‎Mar 09 2021 01:04 PM

Re: MFA without a Cellphone

How do you receive a text without a cellphone? We cannot force our Employees to use a personal cellphone number to receive codes. There is no way to authenticate MFA to email.
5 Likes
Reply
luvsql

‎Mar 09 2021 01:12 PM

‎Mar 09 2021 01:12 PM

Re: MFA without a Cellphone

How does setting up a secondary email account for password resets relate to MFA? Our issue is as soon as you enable MFA on an account, you only have 2 options: Authenticator App or Mobile Phone number. You cannot enter an email address during the setup.
4 Likes
Reply
Vicks1x365

‎Mar 09 2021 02:07 PM

‎Mar 09 2021 02:07 PM

Re: MFA without a Cellphone

How about to voice call ?

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
=========================================
Available verification methods
When a user signs in to an application or service and receive an MFA prompt, they can choose from one of their registered forms of additional verification. An administrator could require registration of these Azure AD Multi-Factor Authentication verification methods, or the user can access their own My Profile to edit or add verification methods.

The following additional forms of verification can be used with Azure AD Multi-Factor Authentication:

Microsoft Authenticator app
OATH Hardware token
SMS
Voice call
0 Likes
Reply
luvsql

‎Mar 09 2021 02:27 PM

‎Mar 09 2021 02:27 PM

Re: MFA without a Cellphone

We're not seeing the option for a voice call. Also, if we did have this option and we use the user's Teams phone number as the voice call (since there is no cellphone and there is no office line as that is also Teams Auto Attendant), what happens when Teams needs to reauthenticate? Will the incoming call still work when the app won't launch because it needs to be reauthenticated?

We, nor most people anymore, have an office line with a receptionist that can answer.
4 Likes
Reply
ydnanday

‎Aug 13 2021 07:11 AM

‎Aug 13 2021 07:11 AM

Re: MFA without a Cellphone

Agree with MG! It seems there is a huge oversight (or perhaps undersight) by Microsoft on this. Recently, I've even had MFA options that are indeed set up on my account not even get presented as an option. This is super frustrating and I think it's going to drive people away from using MFA. It's like the old joke "User: I cannot log into my email, my password is bad. Support: Check your email for the new password."
3 Likes
Reply
David Pazdera

‎Aug 16 2021 08:45 AM

‎Aug 16 2021 08:45 AM

Re: MFA without a Cellphone

You could consider using hardware tokens for MFA, this feature is currently in Preview: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-oath-t...

You could purchase and distribute those tokens to your users, so they don't need to use a mobile phone. They use the token instead.
0 Likes
Reply
luvsql

‎Aug 16 2021 08:49 AM

‎Aug 16 2021 08:49 AM

Re: MFA without a Cellphone

We've looked into this as well but cannot find a vendor in Canada or US that fully supports it.
2 Likes
Reply
Matthew Shulman

‎Aug 18 2021 12:43 PM

‎Aug 18 2021 12:43 PM

Re: MFA without a Cellphone

I'm not sure why you can't have users use personal devices for auth - most companies I deal with do exactly that.

What if you give users the option - Use your personal device for the authenticator app (even for work email maybe?) or the company provides a phone that is ONLY for work and they'd have to have that with them. Given the option, I think most would opt for using their personal device rather then carry an additional device and the problem would be resolved.
0 Likes
Reply
luvsql

‎Aug 18 2021 12:46 PM

‎Aug 18 2021 12:46 PM

Re: MFA without a Cellphone

We can't force our employees to use their own personal device for work purposes. That is just not allowed or enforceable (at least it's not in Canada for privacy concerns).

We should also not have to provide a corporate phone to a user that will solely be used to authenticate (which may be only once every 60 days) when we already pay for their AD license with Office. Even the cheapest plans require contracts and hundred of dollars a year to maintain just for 1 Employee.
3 Likes
Reply
Matthew Shulman

‎Aug 18 2021 05:23 PM

‎Aug 18 2021 05:23 PM

Re: MFA without a Cellphone

@luvsql 

 

That's why I suggested giving the option.  I would think it would be ok for someone to opt to use their own phone?  If so, then giving them a choice I would think the majority would opt to use their own?  

0 Likes
Reply
StefanRedlin

‎Aug 19 2021 04:00 AM

‎Aug 19 2021 04:00 AM

Re: MFA without a Cellphone

We have the same problem here in germany. Employees couldn't be foreced to use their personal devices for MFA.

 

FIDO2 Sticks could be a possibile solution this problem. They are a lot cheaper than a smartphone.

1 Like
Reply
Travis Roberts

‎Aug 21 2021 06:15 AM

‎Aug 21 2021 06:15 AM

Re: MFA without a Cellphone

Have you considered Hybrid Azure AD Join the user’s computers and then create a conditional access policy that disables MFA for log ins from a hybrid joined device? The logic is, the hybrid joined device is a second factor in the log in process.
0 Likes
Reply
Chet2142

‎Sep 09 2021 06:33 AM

‎Sep 09 2021 06:33 AM

Re: MFA without a Cellphone

I dont see that as a valid option. Yes people can use hybrid AD so the device you are on is a trusted device on a trusted IP so it wouldn't require the MFA while on premise. However you still want MFA to be registered so that would-be attackers outside are not able to register your MFA instead. You still need the end user to be able to register the MFA so others cannot. @Travis Roberts 

1 Like
Reply
ho_canarias

‎Oct 09 2021 12:56 AM

‎Oct 09 2021 12:56 AM

Re: MFA without a Cellphone

@Matthew Shulmansorry, but on my private phone I don´t install any that belongs to my job. PRIVATE is PRIVATE

 

4 Likes
Reply
sukosuna

‎Nov 16 2021 07:26 AM

‎Nov 16 2021 07:26 AM

Re: MFA without a Cellphone

@ho_canarias Well, with MFA you aren't installing anything... All it's doing is sending a code to your phone when you go to log in to your work email. It's a standard security feature in many apps these days.


0 Likes
Reply
luvsql

‎Nov 16 2021 07:33 AM

‎Nov 16 2021 07:33 AM

Re: MFA without a Cellphone

No nothing is installed, however, you are now using a personal phone's SMS package for business use and also setting up an Employee's personal cellphone number on the employee's setup. We cannot legally require an Employee to use their personal cellphone for business use. Add into this issue the Employee travels outside of their home country and if those texts start happening, we (the business) may now be liable to pay for those charges. It's a big mess that many companies do not want to even get involved with.
3 Likes
Reply