MFA without a Cellphone

Steel Contributor

This is becoming a bigger issue more and more.  We cannot, as a company, require our Employees to use a personal cellphone to get text codes or install work apps to authenticate our work accounts.

 

We supply these users with a Business Voice license so they can make business calls and accept business calls.

 

All of our employees have corporately paid laptops running Windows 10 and all have SharePoint, Email, OneDrive, Teams etc.

 

Microsoft does not offer the authenticator app on Windows 10 so we can't use that method.

So what do we do?  Leave all these accounts vulnerable?  I've read about using "landlines" for authentication then Microsoft says that's not secure but then provides no guidance on exactly how we're supposed to do this.  

 

We cannot be expected to pay for a cellphone for all these users just to use one app. That's ridiculous.  

100 Replies
I guess there is option to receive code in "TEXT" or in another "email address".
How do you receive a text without a cellphone? We cannot force our Employees to use a personal cellphone number to receive codes. There is no way to authenticate MFA to email.
How does setting up a secondary email account for password resets relate to MFA? Our issue is as soon as you enable MFA on an account, you only have 2 options: Authenticator App or Mobile Phone number. You cannot enter an email address during the setup.
How about to voice call ?

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
=========================================
Available verification methods
When a user signs in to an application or service and receive an MFA prompt, they can choose from one of their registered forms of additional verification. An administrator could require registration of these Azure AD Multi-Factor Authentication verification methods, or the user can access their own My Profile to edit or add verification methods.

The following additional forms of verification can be used with Azure AD Multi-Factor Authentication:

Microsoft Authenticator app
OATH Hardware token
SMS
Voice call
We're not seeing the option for a voice call. Also, if we did have this option and we use the user's Teams phone number as the voice call (since there is no cellphone and there is no office line as that is also Teams Auto Attendant), what happens when Teams needs to reauthenticate? Will the incoming call still work when the app won't launch because it needs to be reauthenticated?

We, nor most people anymore, have an office line with a receptionist that can answer.
Agree with MG! It seems there is a huge oversight (or perhaps undersight) by Microsoft on this. Recently, I've even had MFA options that are indeed set up on my account not even get presented as an option. This is super frustrating and I think it's going to drive people away from using MFA. It's like the old joke "User: I cannot log into my email, my password is bad. Support: Check your email for the new password."
You could consider using hardware tokens for MFA, this feature is currently in Preview: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-oath-t...

You could purchase and distribute those tokens to your users, so they don't need to use a mobile phone. They use the token instead.
We've looked into this as well but cannot find a vendor in Canada or US that fully supports it.
I'm not sure why you can't have users use personal devices for auth - most companies I deal with do exactly that.

What if you give users the option - Use your personal device for the authenticator app (even for work email maybe?) or the company provides a phone that is ONLY for work and they'd have to have that with them. Given the option, I think most would opt for using their personal device rather then carry an additional device and the problem would be resolved.
We can't force our employees to use their own personal device for work purposes. That is just not allowed or enforceable (at least it's not in Canada for privacy concerns).

We should also not have to provide a corporate phone to a user that will solely be used to authenticate (which may be only once every 60 days) when we already pay for their AD license with Office. Even the cheapest plans require contracts and hundred of dollars a year to maintain just for 1 Employee.

@luvsql 

 

That's why I suggested giving the option.  I would think it would be ok for someone to opt to use their own phone?  If so, then giving them a choice I would think the majority would opt to use their own?  

We have the same problem here in germany. Employees couldn't be foreced to use their personal devices for MFA.

 

FIDO2 Sticks could be a possibile solution this problem. They are a lot cheaper than a smartphone.

Have you considered Hybrid Azure AD Join the user’s computers and then create a conditional access policy that disables MFA for log ins from a hybrid joined device? The logic is, the hybrid joined device is a second factor in the log in process.

I dont see that as a valid option. Yes people can use hybrid AD so the device you are on is a trusted device on a trusted IP so it wouldn't require the MFA while on premise. However you still want MFA to be registered so that would-be attackers outside are not able to register your MFA instead. You still need the end user to be able to register the MFA so others cannot. @Travis Roberts 

@Matthew Shulmansorry, but on my private phone I don´t install any that belongs to my job. PRIVATE is PRIVATE

 

@ho_canarias Well, with MFA you aren't installing anything... All it's doing is sending a code to your phone when you go to log in to your work email. It's a standard security feature in many apps these days.


No nothing is installed, however, you are now using a personal phone's SMS package for business use and also setting up an Employee's personal cellphone number on the employee's setup. We cannot legally require an Employee to use their personal cellphone for business use. Add into this issue the Employee travels outside of their home country and if those texts start happening, we (the business) may now be liable to pay for those charges. It's a big mess that many companies do not want to even get involved with.