MFA without a Cellphone

Steel Contributor

This is becoming a bigger issue more and more.  We cannot, as a company, require our Employees to use a personal cellphone to get text codes or install work apps to authenticate our work accounts.

 

We supply these users with a Business Voice license so they can make business calls and accept business calls.

 

All of our employees have corporately paid laptops running Windows 10 and all have SharePoint, Email, OneDrive, Teams etc.

 

Microsoft does not offer the authenticator app on Windows 10 so we can't use that method.

So what do we do?  Leave all these accounts vulnerable?  I've read about using "landlines" for authentication then Microsoft says that's not secure but then provides no guidance on exactly how we're supposed to do this.  

 

We cannot be expected to pay for a cellphone for all these users just to use one app. That's ridiculous.  

100 Replies

@Danny69 Except that both come back to being tied to a mobile device versus other software authentication, which defeats the point of the conversation.

looking for 3rd party authenticator app, it should not open source
Except MS authenticator because users are not allowing to user mobile phone

@sathiyatam26  @luvsql 
Has anyone found a solution for this problem? I am an employee and want to access MFA, but I seek to do so without using a personal cell phone.

I don't understand why M$ can't provide a desktop app that provides the same service as the mobile one. Should be a slam dunk really.

@PJAngert005

Yes, there is a way.

You can have Windows devices enrolled to Intune (MEM) and use OTP (One-time Password) and FIDO2 Keys. Just recently started down this path with a customer.

 https://www.youtube.com/watch?v=OjfdFPIu2KI

I used a passwordless to get my work computer setup my first day on the job. In this video I cover the user experience of how to register a FIDO2 Security Key on a personal computer (Mac) and setup a Windows 11 computer using that key without a password. I also show you how to set this up in Azure
Here is a solution to this issue.
https://www.youtube.com/watch?v=OjfdFPIu2KI
Do we HAVE to go passwordless for this to work? We have to pre-setup all of our users and their PCs and apps and have to have a password for this to work.

For at least some setups, it is possible to use a computer based OTP TOTP/otpauth based authentication system. Microsoft's MFA signup will give a QR code to transfer the "shared secret" to the Authentication App of your choice, and it will also have a "I can't scan the bar code" link that will lead to the "shared secret" that you need.

 

For example, here are instructions on how to set up "OTP Manager" for Microsoft 365 from Laval university: https://www4.fsa.ulaval.ca/en/current-students/apti-help-desk/how-tos-tips/multifactor-authenticatio...

 

Additionally, many password manager programs (such as KeepassXC have TOTP generation built in, so if you give that software the "secret key" it can generate the needed codes. Here are instructions for KeepassXC:

 

https://keepassxc.org/docs/KeePassXC_UserGuide.html#_adding_totp_to_an_entry

 

I am using these methods to do MFA on two of my different Microsoft 365 accounts - one for a small company account, one for a university account. I don't think a cell phone was needed to set either up, but that was a while ago. I DO have a cell number as an alternative method, but I primarily use my password manager to generate the TOPT codes.

 

 

 

 

We're an agricultural manufacturer in North Dakota and I am the entire IT department here. I started getting these same warnings 5 days ago, so Security Defaults are going to be turned on in 10 days. I'm freaking out because we have people working here who don't even HAVE cell phone, and sales reps in the US and Canada. I'm fine if Security Defaults automatically configures to NOT prompt for MFA for anyone on-site (on the local network), but what about my sales reps? By the way, one of my sales reps has a old-school "feature" phone (aka not a smartphone) and is one of the guys who hates new technology.
Something tells me I'm between a rock and a hard place: Either I deal with the ridiculous fallout of forced MFA, or I pay extra to enable Conditional Access and simply turn off MFA across the board. UGH.

I used a Token2 physical token (from a company in Switzerland) that essentially mimics a secondary Auth App (like google authenticator).  When prompted for 2FA, you select alternate authenticator, you scan the QR code into their app, hold the token close to your cell phone and it basically transfers hash to the physical token.  We did not have to upgrade our Azure accts to P1 or P2 because to Azure, you are using Google Authenticator and the like.  Worked great for a user on the floor who didn't have a desk phone for office phone auth, and we don't allow cell phones on the production floor.  Was quick and easy.  You can Google Token2.  There is at least one party who has them on Amazon.   

 

Only issue is when the user is prompted, it tells them to put in their Auth App code.  You just explain to them that it is asking for the number on the token, not something on their phone.

@tfrain @luvsql @saucyknave @Kidd_Ip @it-lett why has noone suggested Authy? Works like a charm for me.

@louis2again 

 

I have not considered Authy. A quick search turns up:

 

https://usa.kaspersky.com/blog/2fa-practical-guide/16398/

"The main disadvantage of Authy is that it requires you to set up an account linked to a mobile phone number — otherwise it won't work at all."

 

Since this particular thread is "MFA without a Cellphone" that is probably a non-starter.

@luvsql Plus not all employees have cell phones - some choose not to [by necessity or preference]. Also there is the issue of people leaving and trying to get access to accounts - that has been a headache - even with resetting accounts - especially on non-MS apps used by the company that are shared log-in but only able to have the one MFA. 

Well with the recent update I even have employees that have a smart phone but its not quite up to date enough to download the app, so they are also just out of luck? The fact that we purchased software, and this was rolled out after, is a joke.

@acjohns1986 Seriously, buy one of the token2 token cards on amazon and give that a try.  It worked great for us.  It's like $40 and if it doesn't work you aren't out that much, but i'm pretty sure it will work.  That was our workaround for this type of situation.

Yes, I have found a solution. I only use a PC and not a tracking device like a dumb (s.m.a.r.t.) phone. Just recently our Company initiated the Microsoft Authenticator. As if the Text or Phone call wasn't enough (sarcasm). My Company would not allow IT to circumvent certain Users, like myself, to use Outlook and the rest as it was previously.
Since I use the PC I searched for a viable way to keep my rights and not tie business things to a personal mobile phone.

IF anyone is interested in this Microsoft Authenticator to PC, then let me know.
Yes i would be interested, ty? This is a joke, FYi! More proof that these tech giants are trying to force ppl into a digital surveillance state, by forcing ppl to have dumb (s.m.a.r.t.) phone, aka data harvesting/tracking device. I will never conform to this. @Pernille-Eskebo - demanding that you allow email authentication.. SMS is already to intrusive! Suggestions anyone how to get around this??

@kenturnerturnercom 

 

There are a number of applications available for Linux, Windows, and macOS that will generate otpauth://totp/ keys like Microsoft Authenticator and Google Authenticator are able to.

 

I have used KeepassXC on all platforms for this feature - just putting the text in the form of the following URL into the "notes" section will make it work (actually only the "secret" part is needed, the same codes are generated no matter what other info is included). I think KeepassXC also has a dedicated database item for TOTP data, but having it in the "notes" section also works with StrongBox on macOS and iOS, which I also have used. I don't know if keepass2android picks up this info for the Android implementation.

 

(I used ☉ rather than @ because the filters get rid of properly formatted email addresses)

 

otpauth://totp/Example:alice☉example.com?secret=JBSWqlmfDPEHPK3PXP&issuer=Example

 

Key Uri Format

https://github.com/google/google-authenticator/wiki/Key-Uri-Format

 

https://keepassxc.org/

 

https://strongboxsafe.com/

 

https://play.google.com/store/apps/details?id=keepass2android.keepass2android&hl=en_CA&gl=US

 

 

 

 

@it-lett 

 

One option to consider if the IT department doesn't mind opensource is WinAuth.

 

https://winauth.github.io/winauth/index.html