MFA without a Cellphone

Super Contributor

This is becoming a bigger issue more and more.  We cannot, as a company, require our Employees to use a personal cellphone to get text codes or install work apps to authenticate our work accounts.


We supply these users with a Business Voice license so they can make business calls and accept business calls.


All of our employees have corporately paid laptops running Windows 10 and all have SharePoint, Email, OneDrive, Teams etc.


Microsoft does not offer the authenticator app on Windows 10 so we can't use that method.

So what do we do?  Leave all these accounts vulnerable?  I've read about using "landlines" for authentication then Microsoft says that's not secure but then provides no guidance on exactly how we're supposed to do this.  


We cannot be expected to pay for a cellphone for all these users just to use one app. That's ridiculous.  

72 Replies

@Danny69 Except that both come back to being tied to a mobile device versus other software authentication, which defeats the point of the conversation.

looking for 3rd party authenticator app, it should not open source
Except MS authenticator because users are not allowing to user mobile phone

@sathiyatam26  @luvsql 
Has anyone found a solution for this problem? I am an employee and want to access MFA, but I seek to do so without using a personal cell phone.

I don't understand why M$ can't provide a desktop app that provides the same service as the mobile one. Should be a slam dunk really.


Yes, there is a way.

You can have Windows devices enrolled to Intune (MEM) and use OTP (One-time Password) and FIDO2 Keys. Just recently started down this path with a customer.

Here is a solution to this issue.
Do we HAVE to go passwordless for this to work? We have to pre-setup all of our users and their PCs and apps and have to have a password for this to work.

For at least some setups, it is possible to use a computer based OTP TOTP/otpauth based authentication system. Microsoft's MFA signup will give a QR code to transfer the "shared secret" to the Authentication App of your choice, and it will also have a "I can't scan the bar code" link that will lead to the "shared secret" that you need.


For example, here are instructions on how to set up "OTP Manager" for Microsoft 365 from Laval university:


Additionally, many password manager programs (such as KeepassXC have TOTP generation built in, so if you give that software the "secret key" it can generate the needed codes. Here are instructions for KeepassXC:


I am using these methods to do MFA on two of my different Microsoft 365 accounts - one for a small company account, one for a university account. I don't think a cell phone was needed to set either up, but that was a while ago. I DO have a cell number as an alternative method, but I primarily use my password manager to generate the TOPT codes.





We're an agricultural manufacturer in North Dakota and I am the entire IT department here. I started getting these same warnings 5 days ago, so Security Defaults are going to be turned on in 10 days. I'm freaking out because we have people working here who don't even HAVE cell phone, and sales reps in the US and Canada. I'm fine if Security Defaults automatically configures to NOT prompt for MFA for anyone on-site (on the local network), but what about my sales reps? By the way, one of my sales reps has a old-school "feature" phone (aka not a smartphone) and is one of the guys who hates new technology.
Something tells me I'm between a rock and a hard place: Either I deal with the ridiculous fallout of forced MFA, or I pay extra to enable Conditional Access and simply turn off MFA across the board. UGH.

I used a Token2 physical token (from a company in Switzerland) that essentially mimics a secondary Auth App (like google authenticator).  When prompted for 2FA, you select alternate authenticator, you scan the QR code into their app, hold the token close to your cell phone and it basically transfers hash to the physical token.  We did not have to upgrade our Azure accts to P1 or P2 because to Azure, you are using Google Authenticator and the like.  Worked great for a user on the floor who didn't have a desk phone for office phone auth, and we don't allow cell phones on the production floor.  Was quick and easy.  You can Google Token2.  There is at least one party who has them on Amazon.   


Only issue is when the user is prompted, it tells them to put in their Auth App code.  You just explain to them that it is asking for the number on the token, not something on their phone.

@tfrain @luvsql @saucyknave @Kidd_Ip @it-lett why has noone suggested Authy? Works like a charm for me.



I have not considered Authy. A quick search turns up:

"The main disadvantage of Authy is that it requires you to set up an account linked to a mobile phone number — otherwise it won't work at all."


Since this particular thread is "MFA without a Cellphone" that is probably a non-starter.