Forum Discussion
MFA without a Cellphone
You could purchase and distribute those tokens to your users, so they don't need to use a mobile phone. They use the token instead.
- Unfortunately there are not a lot of workable alternatives to using a mobile. There are desktop apps that can be used (similar to google authenticator), and FIDO keys can also be considered (but this is a more expensive option and still has limited application).
- Thanks for the response. Don't see how tokens will work for us, and would have to convince a small business owner to buy them. Don't even see that as an option under our 365 MFA setup, or an option that can be added but I'm no expert so I'll take your word for it. Long story short a one solution to fit all scenarios won't work for us, we have multiple MFA logins, within our own network, within our clients networks. With multiple different MFA apps, sometimes VPN involved sometimes not. Sure when we're the admins and can control the access, tokens might work, but most times, we're not and at the mercy of our clients. Who are typically much larger than we are, and most likely provide their employees with secured company phones. it's a problem, that there seems to be no easy solution for, and is driving our employees crazy. And when you can't have mobile phones on the production floor due to PCI and SSAE compliances, and/or you're expecting your employees to use personal assets to perform a job function. it's problematic, IT folks find themselves in-between of now. Right now 'alt or desk phone' method works for us, though it does seem to get wonkie over time and needs reset now and then, but just waiting for that to go away. We also have one client that uses Cisco Duo and there seems no way around that without using the mobile app and a having a mobile number. To me not a whole lot of particle, real world thought, went into MFA. Probably shocking but nearly 40% of Americans don't have a mobile phone, and/or share a number/phone with some other family member.
- There are plenty of hardware tokens available that are compatible with Microsoft - e.g. https://deepnetsecurity.com/authenticators/one-time-password/safeid/hardware-mfa-tokens-office-365-azure-multi-factor-authentication/
You will need to ensure that they are TOTP tokens (either 30 or 60 seconds), that you upload the seed data to Microsoft (including UPN details), and activate the tokens. - not the same, i can leave my phone at home everyday, or pretend i don't have one, you can't force it as a company. I think you're just looking for the easy way out, 50% of Americans don't have a mobile phone.
that puts the responsibly the on the employee to have a mobile phone, to pay for one, to have a data plan, to no forget it everyday, to have it functioning and not broken or lost or not charged. what then? this is the problem today, companies want this or that, but don't want to pay for it. 50% of Americans still don't have or use a mobile phone.
Interesting idea, but not available to ourselves as a chemical plant were phones and other devices that don't meet regulations cannot be taken so they are stuck in certain parts of the plant where authentication fails them. Surely there has to be something simple with a mifare reader that would then code/encrypt the details so once card read it authenticates with it's own date time and device it's attached to.
Microsoft already had been sending me the text message code (we were mandated to do that when we were not allowed to come in during the Covid lockdowns), but in addition to the password and my personal cell phone to be sent a code, they are telling us we need to link a personal email account for I do not know what reason because I do not check my work email form my phone, only from the work laptop. That is where I draw the line.
They overstepped with this additional invasion of privacy with this demand so I now refuse to work from home and I refuse to check my email to keep up on work when I am off or away from the office. In the end it is their loss, not mine. I donate much less time to the company now.
The whole goal of this is confirming you are you through something you are (biometric), something you have (a phone or RSA type card), or something you know (unique information only you have knowledge of). Unfortunately, the "something you know" is already taken up by your password. So if you have ANOTHER password, it would just be a duplicate of the same FACTOR - something you know - like a secondary password. Hence the problem. I absolutely hate having to deal with it, but I do understand the reason for it.
- The point it, private is private & work is work. Don't force an employee to link the technologies. With all this hoopla I am starting to wonder why a software company is trying to force this issue by not simply leaving things with a passwords and question/answer.
- the option should be password and question driven with no need for a secondary devise (private phone) or non-work email address(again, private).
Private phones and private email addresses should remain private.
Linking work and private technologies in this ways could mean employees are giving consent to access personal information through implicit consent of the link. - Do you have a link for the token2 token card you suggest trying?
acjohns1986 Seriously, buy one of the token2 token cards on amazon and give that a try. It worked great for us. It's like $40 and if it doesn't work you aren't out that much, but i'm pretty sure it will work. That was our workaround for this type of situation.
- Well with the recent update I even have employees that have a smart phone but its not quite up to date enough to download the app, so they are also just out of luck? The fact that we purchased software, and this was rolled out after, is a joke.
luvsql Plus not all employees have cell phones - some choose not to [by necessity or preference]. Also there is the issue of people leaving and trying to get access to accounts - that has been a headache - even with resetting accounts - especially on non-MS apps used by the company that are shared log-in but only able to have the one MFA.
cpbowcpbow The Authenticator app doesn't require or need any form of network connection if you select the OTP (Code method). Once registered to the user account - it constantly generates codes every 30 seconds or so based on an algorithm or seed which was linked with Azure at time of registration. So when a webpage displays "Enter the Code from your Authenticator" type message - it already knows what the correct code should be - and if you type in the correct code shown in the app - then you get access. The App itself doesn't need to transmit that code to Azure.
MatthewShulman Absolutely not - I want absolutely nothing for my workplace on my personal device. I had the option to use my personal device for work, and I declined. My personal life and work are completely separate and should remain such.
- We can certainly assist you with concerned problem.
Please write to me @ email address removed for privacy reasons cpbowcpbow Yes the app will work with just wifi.
- I have a question: I currently have a cell phone (but no phone number); hence for the moment, I have only WiFi access (at home, work, or elsewhere). If I put the auth app on my phone, would my company's MS mail server be able to send a code to the app if I was on WiFi? I have read a bit here on the MS site, and I haven't seen this discussed.
Until just a couple months ago, I had a T-mobile account that gave me 100 texts, after which is was 10 US cents/text; my impression this was to send OR receive. I text rather rarely and it was an unusual month that I sent received > 20 texts. However, if I had to receive an MFA text, possibly even >once per day, I'd be over the free allotment. It wouldn't be that much, but not negligible, either. I expect my next plan to have unlimited texting, but a company should not assume this. While I am waffling on cell phone carrier, I've been unable to access my company's email for almost 2 weeks. (They dropped the receive call at land line option, because the found it to be unreliable.) I work in a lab and can get by without constant email access, but at least once I didn't know of a data need as quick as I should have. Companies need to consider whether everyone has (free) access to texts.
I object and resent being forced to use MFA that only allows for a telephone or a cell phone. It's obnoxious, and not hack-proof. Banks in particular want access to everyone's personal devices, and I just fired a bank for that very reason. No one likes being bullied by giant, greedy corporate entities. There are 3 levels of security to access my account online, and was still forced to waste my time with their MFA BS. bye bye bullies. Personally, the entire banking system should be EMP'd so the world can reset what is of value, and what isn't.
luvsql Not to mention that on top of that half the office I support they don't receive mobile signal anyway - work or personal mobile phone won't work
- If Microsoft would make it easier for businesses to buy USB or Fobs for MFA we wouldn't be having this conversation. I still haven't figured it out and it now seems we have to switch to passwordless but just want a way to authenticate without a phone. Cleary there is a need.
- Agree its not reasonable for business to force any employee to meet business goals.
But do these employees / associates never use business resources (internet / pc etc.) to for personal use ?
