Mar 09 2021 12:51 PM
This is becoming a bigger issue more and more. We cannot, as a company, require our Employees to use a personal cellphone to get text codes or install work apps to authenticate our work accounts.
We supply these users with a Business Voice license so they can make business calls and accept business calls.
All of our employees have corporately paid laptops running Windows 10 and all have SharePoint, Email, OneDrive, Teams etc.
Microsoft does not offer the authenticator app on Windows 10 so we can't use that method.
So what do we do? Leave all these accounts vulnerable? I've read about using "landlines" for authentication then Microsoft says that's not secure but then provides no guidance on exactly how we're supposed to do this.
We cannot be expected to pay for a cellphone for all these users just to use one app. That's ridiculous.
Dec 06 2022 12:39 PM
@Danny69 Except that both come back to being tied to a mobile device versus other software authentication, which defeats the point of the conversation.
Dec 06 2022 01:08 PM
Jan 04 2023 07:27 AM - edited Jan 04 2023 07:28 AM
@sathiyatam26 @luvsql
Has anyone found a solution for this problem? I am an employee and want to access MFA, but I seek to do so without using a personal cell phone.
Jan 04 2023 07:35 AM
I don't understand why M$ can't provide a desktop app that provides the same service as the mobile one. Should be a slam dunk really.
Jan 04 2023 10:34 AM
Yes, there is a way.
You can have Windows devices enrolled to Intune (MEM) and use OTP (One-time Password) and FIDO2 Keys. Just recently started down this path with a customer.
Jan 04 2023 10:36 AM
Jan 04 2023 10:44 AM
Jan 22 2023 02:20 PM
For at least some setups, it is possible to use a computer based OTP TOTP/otpauth based authentication system. Microsoft's MFA signup will give a QR code to transfer the "shared secret" to the Authentication App of your choice, and it will also have a "I can't scan the bar code" link that will lead to the "shared secret" that you need.
For example, here are instructions on how to set up "OTP Manager" for Microsoft 365 from Laval university: https://www4.fsa.ulaval.ca/en/current-students/apti-help-desk/how-tos-tips/multifactor-authenticatio...
Additionally, many password manager programs (such as KeepassXC have TOTP generation built in, so if you give that software the "secret key" it can generate the needed codes. Here are instructions for KeepassXC:
https://keepassxc.org/docs/KeePassXC_UserGuide.html#_adding_totp_to_an_entry
I am using these methods to do MFA on two of my different Microsoft 365 accounts - one for a small company account, one for a university account. I don't think a cell phone was needed to set either up, but that was a while ago. I DO have a cell number as an alternative method, but I primarily use my password manager to generate the TOPT codes.
Jan 26 2023 05:01 PM
FIDO2 security keys may help
Azure Active Directory passwordless sign-in - Microsoft Entra | Microsoft Learn
Mar 31 2023 07:58 AM - edited Mar 31 2023 07:59 AM
We're an agricultural manufacturer in North Dakota and I am the entire IT department here. I started getting these same warnings 5 days ago, so Security Defaults are going to be turned on in 10 days. I'm freaking out because we have people working here who don't even HAVE cell phone, and sales reps in the US and Canada. I'm fine if Security Defaults automatically configures to NOT prompt for MFA for anyone on-site (on the local network), but what about my sales reps? By the way, one of my sales reps has a old-school "feature" phone (aka not a smartphone) and is one of the guys who hates new technology.
Something tells me I'm between a rock and a hard place: Either I deal with the ridiculous fallout of forced MFA, or I pay extra to enable Conditional Access and simply turn off MFA across the board. UGH.
May 22 2023 12:02 PM
I used a Token2 physical token (from a company in Switzerland) that essentially mimics a secondary Auth App (like google authenticator). When prompted for 2FA, you select alternate authenticator, you scan the QR code into their app, hold the token close to your cell phone and it basically transfers hash to the physical token. We did not have to upgrade our Azure accts to P1 or P2 because to Azure, you are using Google Authenticator and the like. Worked great for a user on the floor who didn't have a desk phone for office phone auth, and we don't allow cell phones on the production floor. Was quick and easy. You can Google Token2. There is at least one party who has them on Amazon.
Only issue is when the user is prompted, it tells them to put in their Auth App code. You just explain to them that it is asking for the number on the token, not something on their phone.
May 28 2023 01:39 AM
@tfrain @luvsql @saucyknave @Kidd_Ip @it-lett why has noone suggested Authy? Works like a charm for me.
May 28 2023 05:11 AM
I have not considered Authy. A quick search turns up:
https://usa.kaspersky.com/blog/2fa-practical-guide/16398/
"The main disadvantage of Authy is that it requires you to set up an account linked to a mobile phone number — otherwise it won't work at all."
Since this particular thread is "MFA without a Cellphone" that is probably a non-starter.
Jun 16 2023 08:31 AM
@luvsql Plus not all employees have cell phones - some choose not to [by necessity or preference]. Also there is the issue of people leaving and trying to get access to accounts - that has been a headache - even with resetting accounts - especially on non-MS apps used by the company that are shared log-in but only able to have the one MFA.
Jun 20 2023 09:55 AM
Jun 20 2023 12:33 PM
@acjohns1986 Seriously, buy one of the token2 token cards on amazon and give that a try. It worked great for us. It's like $40 and if it doesn't work you aren't out that much, but i'm pretty sure it will work. That was our workaround for this type of situation.
Aug 01 2023 01:16 PM
Aug 15 2023 03:40 PM
Aug 15 2023 07:07 PM - edited Aug 15 2023 07:16 PM
There are a number of applications available for Linux, Windows, and macOS that will generate otpauth://totp/ keys like Microsoft Authenticator and Google Authenticator are able to.
I have used KeepassXC on all platforms for this feature - just putting the text in the form of the following URL into the "notes" section will make it work (actually only the "secret" part is needed, the same codes are generated no matter what other info is included). I think KeepassXC also has a dedicated database item for TOTP data, but having it in the "notes" section also works with StrongBox on macOS and iOS, which I also have used. I don't know if keepass2android picks up this info for the Android implementation.
(I used ☉ rather than @ because the filters get rid of properly formatted email addresses)
otpauth://totp/Example:alice☉example.com?secret=JBSWqlmfDPEHPK3PXP&issuer=Example
Key Uri Format
https://github.com/google/google-authenticator/wiki/Key-Uri-Format
https://play.google.com/store/apps/details?id=keepass2android.keepass2android&hl=en_CA&gl=US
Sep 17 2023 09:33 AM
One option to consider if the IT department doesn't mind opensource is WinAuth.