MFA without a Cellphone

Steel Contributor

This is becoming a bigger issue more and more.  We cannot, as a company, require our Employees to use a personal cellphone to get text codes or install work apps to authenticate our work accounts.

 

We supply these users with a Business Voice license so they can make business calls and accept business calls.

 

All of our employees have corporately paid laptops running Windows 10 and all have SharePoint, Email, OneDrive, Teams etc.

 

Microsoft does not offer the authenticator app on Windows 10 so we can't use that method.

So what do we do?  Leave all these accounts vulnerable?  I've read about using "landlines" for authentication then Microsoft says that's not secure but then provides no guidance on exactly how we're supposed to do this.  

 

We cannot be expected to pay for a cellphone for all these users just to use one app. That's ridiculous.  

93 Replies
Until MS pull their finger out there is no alternative to setting either a mobile call, sms message or an authenticator app. I'm not sure what MS are waiting for?
FIDO Key is more secure than any other method and yet it is not a valid method. It doesn't make sense.
I have researched this pretty extensively for a customer and here are the challenges we have to overcome:
1. Customer does not want AD FS, so we chose to go with Pass-Through Authentication as an alternative.
2. They have a stand-alone CA, bad practice, but it is what we are working with
3. Moving to a pure cloud infrastructure, Azure IaaS, Azure AD with Synchronized Identities
4. Wants to have MFA at the device level and for M365 Services

Here are a couple options I presented to the customer:
First, I presented Cloud Trust Setup for Windows Hello for Business (WHfB). https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybri...
This would allow the customer to deploy FIDO2 Keys like Yubikey to the employees, but would still require the initial setup of MFA in Azure AD (MS Authenticator App, Text, etc...)

The second option is setup the environment to handle Yubikey deplpoyment, https://support.yubico.com/hc/en-us/articles/360015654500-Setting-up-Windows-Server-for-YubiKey-PIV-..., but would require AD FS for authentication for M365 services. This is not too big of an issue for the customer because they require a connection to their network prior to login, so authentication hits the DCs. Mind you, most of the organization is remote, but would still cause the requirement to setup AD FS which the customer does not want.

Third option is the Key Trust model for Windows Hello for Business, https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybri..., similar to option two, but still need AD FS.

So, to conclude, the customer either needs to accept the deployment of AD FS in their environment which can enforce MFA with cert based authentication, OR Deploy the Cloud Trust Model which is still in preview, OR KeyTrust Model and still need people to register a device for text or MS Auth app.

Unfortunately I have not been able to find any other options, but hope this helps your situation.
I'm looking to use this: https://github.com/winauth/winauth for this exact issue. Might be your saving grace :)
In mysignins.microsoft.com, one can select "Office phone." When it calls, you can press the # key to sign in. This may depend on your AD settings.

@luvsql Not to mention that on top of that half the office I support they don't receive mobile signal anyway - work or personal mobile phone won't work

@Matthew Shulman 

 

I object and resent being forced to use MFA that only allows for a telephone or a cell phone.  It's obnoxious, and not hack-proof.  Banks in particular want access to everyone's personal devices, and I just fired a bank for that very reason.  No one likes being bullied by giant, greedy corporate entities.  There are 3 levels of security to access my account online, and was still forced to waste my time with their MFA BS.  bye bye bullies.  Personally, the entire banking system should be EMP'd so the world can reset what is of value, and what isn't.

Until just a couple months ago, I had a T-mobile account that gave me 100 texts, after which is was 10 US cents/text; my impression this was to send OR receive. I text rather rarely and it was an unusual month that I sent received > 20 texts. However, if I had to receive an MFA text, possibly even >once per day, I'd be over the free allotment. It wouldn't be that much, but not negligible, either. I expect my next plan to have unlimited texting, but a company should not assume this. While I am waffling on cell phone carrier, I've been unable to access my company's email for almost 2 weeks. (They dropped the receive call at land line option, because the found it to be unreliable.) I work in a lab and can get by without constant email access, but at least once I didn't know of a data need as quick as I should have. Companies need to consider whether everyone has (free) access to texts.

I have a question: I currently have a cell phone (but no phone number); hence for the moment, I have only WiFi access (at home, work, or elsewhere). If I put the auth app on my phone, would my company's MS mail server be able to send a code to the app if I was on WiFi? I have read a bit here on the MS site, and I haven't seen this discussed.

@cpbowcpbow Yes the app will work with just wifi.

We can certainly assist you with concerned problem.
Please write to me @ email address removed for privacy reasons

@luvsql  Did you find a resolution?  We are in the exact same situation.  For a variety of reasons, telling employees that they MUST use their personal phones is going to create enormous issues and perhaps legal ones too (not sure of it in the US).  What if one forgets their smart phone one day?  They can't get to their business email all day long?  What if users have a work supplied smartphone but it is shared - can they still each use it for MFA?  As another poster mentioned, many of our users can't use their smartphones at work because of the way the building is constructed - no signal.  Our police officers are going to be out in their vehicles when accessing email - there is no way other than forcing to use their personal phones?  We have one phone number for the entire organization for land lines, we each have an extension from then on, is there a desk phone option that would work in that scenario?  Other posters have mentioned that in some countries, it is illegal to force employees to use their personal phones for business reasons.  Why didn't MS think this through?  Think about the REAL world?

 

If anyone has heard anything from MS or has a valid solution without using third party options, we'd LOVE to hear from you!

No solution. I tried a couple key solutions that didn't work and they are so small one was lost immediately and $50-$75 to replace. We've settled on using text on personal phones since it doesn't require an app to be installed and for some of our users that have a Teams Business Voice license, using their Teams number to authenticate. However, Teams may stop working if can't authenticate then the number stops working.

If there is no cell signal then they could authenticate with wifi but that would require them to install the app so that's fine for our Employees we supply a phone to.

Microsoft needs to start selling keys so we know they're legit and easy to use that we can purchase along with our licenses. They are way too complex and some aren't certified.
:(
I saw this https://services.mnsu.edu/TDClient/30/Portal/KB/ArticleDet?ID=114
and wonder how to configure on the admin side to get the option for Office phone. It seems to have the option to enter an extension which is what we would need. That would take care of the majority of our users. Looking through MS documentation, I don't see anything regarding this Office phone option.

@Matthew Shulman Absolutely not - I want absolutely nothing for my workplace on my personal device. I had the option to use my personal device for work, and I declined. My personal life and work are completely separate and should remain such. 

I have found a workaround. If you register one of the primary methods (sms/call/app) then add a FIDO key, you can remove the primary method, leaving the FIDO key as the only method. Not ideal but it works...

In our workplace we are unable to phones on the shopfloor for security reasons. We have implemented 

OATH tokens

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-oath-...

 

We bought  

Feitian OTP C200 Readers

https://www.amazon.co.uk/Feitian-OTP-C200-Reader-H41/dp/B01MSRAVXQ/ref=sr_1_1?crid=1KFIAO7D0828C&key...

 

Here is a video of the process we followed for importing the token details (which were supplied by the vendor in a csv file. we just needed to add the UPN details for the appropriate user \ reader ) 

https://www.youtube.com/watch?v=dPMUFd5HqQQ

 

You then simply turn on MFA for the user like you would normally as an administrator 

 

When the user logs in, it will ask for the number off the token.

 

Solution works well and is surprisingly simple once you know how.  

 

 

 

 

@cpbowcpbow The Authenticator app doesn't require or need any form of network connection if you select the OTP (Code method). Once registered to the user account - it constantly generates codes every 30 seconds or so based on an algorithm or seed which was linked with Azure at time of registration. So when a webpage displays "Enter the Code from your Authenticator" type message - it already knows what the correct code should be - and if you type in the correct code shown in the app - then you get access. The App itself doesn't need to transmit that code to Azure.

For OATH authentication do we have software token method? @Vicks1x365 

Software token = MS authenticator or equivalent mobile app