MFA without a Cellphone

%3CLINGO-SUB%20id%3D%22lingo-sub-2197364%22%20slang%3D%22en-US%22%3EMFA%20without%20a%20Cellphone%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2197364%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20becoming%20a%20bigger%20issue%20more%20and%20more.%26nbsp%3B%20We%20cannot%2C%20as%20a%20company%2C%20require%20our%20Employees%20to%20use%20a%20personal%20cellphone%20to%20get%20text%20codes%20or%20install%20work%20apps%20to%20authenticate%20our%20work%20accounts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20supply%20these%20users%20with%20a%20Business%20Voice%20license%20so%20they%20can%20make%20business%20calls%20and%20accept%20business%20calls.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20of%20our%20employees%20have%20corporately%20paid%20laptops%20running%20Windows%2010%20and%20all%20have%20SharePoint%2C%20Email%2C%20OneDrive%2C%20Teams%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20does%20not%20offer%20the%20authenticator%20app%20on%20Windows%2010%20so%20we%20can't%20use%20that%20method.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20what%20do%20we%20do%3F%26nbsp%3B%20Leave%20all%20these%20accounts%20vulnerable%3F%26nbsp%3B%20I've%20read%20about%20using%20%22landlines%22%20for%20authentication%20then%20Microsoft%20says%20that's%20not%20secure%20but%20then%20provides%20no%20guidance%20on%20exactly%20how%20we're%20supposed%20to%20do%20this.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20cannot%20be%20expected%20to%20pay%20for%20a%20cellphone%20for%20all%20these%20users%20just%20to%20use%20one%20app.%20That's%20ridiculous.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2197364%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2197399%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20without%20a%20Cellphone%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2197399%22%20slang%3D%22en-US%22%3EI%20guess%20there%20is%20option%20to%20receive%20code%20in%20%22TEXT%22%20or%20in%20another%20%22email%20address%22.%3C%2FLINGO-BODY%3E
Regular Contributor

This is becoming a bigger issue more and more.  We cannot, as a company, require our Employees to use a personal cellphone to get text codes or install work apps to authenticate our work accounts.

 

We supply these users with a Business Voice license so they can make business calls and accept business calls.

 

All of our employees have corporately paid laptops running Windows 10 and all have SharePoint, Email, OneDrive, Teams etc.

 

Microsoft does not offer the authenticator app on Windows 10 so we can't use that method.

So what do we do?  Leave all these accounts vulnerable?  I've read about using "landlines" for authentication then Microsoft says that's not secure but then provides no guidance on exactly how we're supposed to do this.  

 

We cannot be expected to pay for a cellphone for all these users just to use one app. That's ridiculous.  

6 Replies
I guess there is option to receive code in "TEXT" or in another "email address".
How do you receive a text without a cellphone? We cannot force our Employees to use a personal cellphone number to receive codes. There is no way to authenticate MFA to email.
How does setting up a secondary email account for password resets relate to MFA? Our issue is as soon as you enable MFA on an account, you only have 2 options: Authenticator App or Mobile Phone number. You cannot enter an email address during the setup.
How about to voice call ?

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
=========================================
Available verification methods
When a user signs in to an application or service and receive an MFA prompt, they can choose from one of their registered forms of additional verification. An administrator could require registration of these Azure AD Multi-Factor Authentication verification methods, or the user can access their own My Profile to edit or add verification methods.

The following additional forms of verification can be used with Azure AD Multi-Factor Authentication:

Microsoft Authenticator app
OATH Hardware token
SMS
Voice call
We're not seeing the option for a voice call. Also, if we did have this option and we use the user's Teams phone number as the voice call (since there is no cellphone and there is no office line as that is also Teams Auto Attendant), what happens when Teams needs to reauthenticate? Will the incoming call still work when the app won't launch because it needs to be reauthenticated?

We, nor most people anymore, have an office line with a receptionist that can answer.