Forum Discussion
MFA without a Cellphone
This is becoming a bigger issue more and more. We cannot, as a company, require our Employees to use a personal cellphone to get text codes or install work apps to authenticate our work accounts.
We supply these users with a Business Voice license so they can make business calls and accept business calls.
All of our employees have corporately paid laptops running Windows 10 and all have SharePoint, Email, OneDrive, Teams etc.
Microsoft does not offer the authenticator app on Windows 10 so we can't use that method.
So what do we do? Leave all these accounts vulnerable? I've read about using "landlines" for authentication then Microsoft says that's not secure but then provides no guidance on exactly how we're supposed to do this.
We cannot be expected to pay for a cellphone for all these users just to use one app. That's ridiculous.
We have the same problem here in germany. Employees couldn't be foreced to use their personal devices for MFA.
FIDO2 Sticks could be a possibile solution this problem. They are a lot cheaper than a smartphone.
- This is an interesting topic. Previously, I didn't think twice about using a cell phone for MFA but it makes sense that asking employees to use personal devices for work is not always acceptable. I created a couple videos, one on MFA with an OATH token. This is an alternative to the Microsoft Authenticator app.
https://youtu.be/vG_NqiffqcI
I did another on FIDO2 keys for passwordless authentication.
https://youtu.be/XJwGvqUYEkg
I hope this is helpful,
-Travis- Awesome video thank you. If a user needs to access their email or access a SharePoint site on tablet that does not have a USB connection, will they just connect the yubikey to their work laptop and will they be shown the code so that they can type it in on the other device?
- The Yubikey is NFC capable, so if the device supports NFC, the Yubico authenticator app on the device can get the code without USB.
- Until MS pull their finger out there is no alternative to setting either a mobile call, sms message or an authenticator app. I'm not sure what MS are waiting for?
- In mysignins.microsoft.com, one can select "Office phone." When it calls, you can press the # key to sign in. This may depend on your AD settings.
- FIDO Key is more secure than any other method and yet it is not a valid method. It doesn't make sense.
- I have researched this pretty extensively for a customer and here are the challenges we have to overcome:
1. Customer does not want AD FS, so we chose to go with Pass-Through Authentication as an alternative.
2. They have a stand-alone CA, bad practice, but it is what we are working with
3. Moving to a pure cloud infrastructure, Azure IaaS, Azure AD with Synchronized Identities
4. Wants to have MFA at the device level and for M365 Services
Here are a couple options I presented to the customer:
First, I presented Cloud Trust Setup for Windows Hello for Business (WHfB). https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust
This would allow the customer to deploy FIDO2 Keys like Yubikey to the employees, but would still require the initial setup of MFA in Azure AD (MS Authenticator App, Text, etc...)
The second option is setup the environment to handle Yubikey deplpoyment, https://support.yubico.com/hc/en-us/articles/360015654500-Setting-up-Windows-Server-for-YubiKey-PIV-Authentication, but would require AD FS for authentication for M365 services. This is not too big of an issue for the customer because they require a connection to their network prior to login, so authentication hits the DCs. Mind you, most of the organization is remote, but would still cause the requirement to setup AD FS which the customer does not want.
Third option is the Key Trust model for Windows Hello for Business, https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust, similar to option two, but still need AD FS.
So, to conclude, the customer either needs to accept the deployment of AD FS in their environment which can enforce MFA with cert based authentication, OR Deploy the Cloud Trust Model which is still in preview, OR KeyTrust Model and still need people to register a device for text or MS Auth app.
Unfortunately I have not been able to find any other options, but hope this helps your situation.- Here is a solution to this issue.
https://www.youtube.com/watch?v=OjfdFPIu2KI- Do we HAVE to go passwordless for this to work? We have to pre-setup all of our users and their PCs and apps and have to have a password for this to work.
- I'm looking to use this: https://github.com/winauth/winauth for this exact issue. Might be your saving grace 🙂
We're an agricultural manufacturer in North Dakota and I am the entire IT department here. I started getting these same warnings 5 days ago, so Security Defaults are going to be turned on in 10 days. I'm freaking out because we have people working here who don't even HAVE cell phone, and sales reps in the US and Canada. I'm fine if Security Defaults automatically configures to NOT prompt for MFA for anyone on-site (on the local network), but what about my sales reps? By the way, one of my sales reps has a old-school "feature" phone (aka not a smartphone) and is one of the guys who hates new technology.
Something tells me I'm between a rock and a hard place: Either I deal with the ridiculous fallout of forced MFA, or I pay extra to enable Conditional Access and simply turn off MFA across the board. UGH.I used a Token2 physical token (from a company in Switzerland) that essentially mimics a secondary Auth App (like google authenticator). When prompted for 2FA, you select alternate authenticator, you scan the QR code into their app, hold the token close to your cell phone and it basically transfers hash to the physical token. We did not have to upgrade our Azure accts to P1 or P2 because to Azure, you are using Google Authenticator and the like. Worked great for a user on the floor who didn't have a desk phone for office phone auth, and we don't allow cell phones on the production floor. Was quick and easy. You can Google Token2. There is at least one party who has them on Amazon.
Only issue is when the user is prompted, it tells them to put in their Auth App code. You just explain to them that it is asking for the number on the token, not something on their phone.
tfrain luvsql saucyknave Kidd_Ip it-lett why has noone suggested Authy? Works like a charm for me.
A viable option would be to use the TOTP Authenticator from REINER SCT.
It's a simple device with a low-res camera and a TOTP generator. You scan the QR-Code once and then it can create a one-time-password every 30 seconds.
It kinda emulates a smartphone. Unlike WinAuth, which probably runs on the same PC as the Office 365 apps it is a real second factor. It can store 60 accounts. It has no USB interface for the PC and power is supplied via three micro (AAA) 1.5 V alkaline batteries.- I guess there is option to receive code in "TEXT" or in another "email address".
- How do you receive a text without a cellphone? We cannot force our Employees to use a personal cellphone number to receive codes. There is no way to authenticate MFA to email.
- that option also forces the employee to provide either their personal cell phone or their personal email address.
- Have you considered Hybrid Azure AD Join the user’s computers and then create a conditional access policy that disables MFA for log ins from a hybrid joined device? The logic is, the hybrid joined device is a second factor in the log in process.
I dont see that as a valid option. Yes people can use hybrid AD so the device you are on is a trusted device on a trusted IP so it wouldn't require the MFA while on premise. However you still want MFA to be registered so that would-be attackers outside are not able to register your MFA instead. You still need the end user to be able to register the MFA so others cannot. TravisRoberts
