Azure MFA (but dont always have a phone)?

%3CLINGO-SUB%20id%3D%22lingo-sub-174270%22%20slang%3D%22en-US%22%3EAzure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174270%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20working%20on%20deploying%20Azure%20MFA%20(cloud%20only).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAn%20interesting%20scenario%20has%20come%20up%20with%20users%20that%20don't%20have%20mobile%20phones.%26nbsp%3B%20While%20the%20scenario%20rare%2C%20what%20is%20a%20user%20to%20do%20if%20(1)%20they%20don't%20have%20a%20mobile%20phone%20and%20(2)%20they%20are%20not%20in%20a%20trusted%20IP%20location%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESame%20thing%20could%20apply%20if%20the%20user%20forgot%20their%20phone%20at%20home%20and%20was%20at%20a%20customer%20site%2C%20etc.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDoes%20basic%20Azure%20MFA%20have%20any%20extra%20work%20around%20at%20this%20point%20in%20time%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-174270%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277840%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277840%22%20slang%3D%22en-US%22%3E%3CP%3EWindows%20Azure%20officially%20supports%20DeepNet%20SafeID%20hardware%20tokens%20which%20are%20OATH%20compliant.%20You%20might%20want%20to%20check%20it%20out%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.deepnetsecurity.com%2Fauthenticators%2Fone-time-password%2Fsafeid%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.deepnetsecurity.com%2Fauthenticators%2Fone-time-password%2Fsafeid%2F%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fwiki.deepnetsecurity.com%2Fdisplay%2FKB%2FHow%2Bto%2BImport%2BSafeID%2BToken%2Binto%2BAzure%2BMFA%2BServer%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwiki.deepnetsecurity.com%2Fdisplay%2FKB%2FHow%2Bto%2BImport%2BSafeID%2BToken%2Binto%2BAzure%2BMFA%2BServer%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-260092%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-260092%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Brent%2C%3C%2FP%3E%3CP%3EFor%20users%20not%20having%20(or%20not%20willing%20to%20use%20their%20own)%20mobile%20phones%2C%20the%20solution%20is%20to%20use%20hardware%20tokens.%20MFA%20Server%20on-prem%26nbsp%3Bis%20allowing%20to%20use%20standard%20OATH%20TOTP%20tokens%2C%20however%2C%20with%20Cloud%20MFA%20the%20only%20%3CA%20href%3D%22https%3A%2F%2Fwww.token2.com%2Fsite%2Fpage%2Fhardware-tokens-for-azure-cloud-multi-factor-authentication%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Esolution%3C%2FA%3E%20is%20the%20programmable%20tokens.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EGuy%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDisclaimer%3A%20I%20am%20affiliated%20with%20Token2%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-182782%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-182782%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20a%20question%20you%20should%20be%20asking%20Microsoft%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-182603%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-182603%22%20slang%3D%22en-US%22%3E%3CP%3EWhy%20is%20bypass%20only%20for%20on-prem%20only%3F%26nbsp%3B%20It%20seems%20like%20the%20cloud%20MFA%20admin%20capabilities%20are%20very%20limited.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174868%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174868%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20bypass%20is%20server-only%2C%20read%20the%20description%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20class%3D%22lia-spoiler-container%22%3E%3CA%20class%3D%22lia-spoiler-link%22%20href%3D%22%23%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ESpoiler%3C%2FA%3E%3CNOSCRIPT%3E(Highlight%20to%20read)%3C%2FNOSCRIPT%3E%3CDIV%20class%3D%22lia-spoiler-border%22%3E%3CDIV%20class%3D%22lia-spoiler-content%22%3E%0A%3CDIV%20class%3D%22ext-ad-mfa-container-spacing-header%22%20data-bind%3D%22text%3A%20clientResources.oneTimeBypassBladeDescription%22%3EAllow%20a%20user%20to%20authenticate%20without%20performing%20two-step%20verification%20for%20a%20limited%20time.%20The%20bypass%20goes%20into%20effect%20immediately%2C%20and%20expires%20after%20the%20specified%20number%20of%20seconds.%20%3CU%3E%3CSTRONG%3EThis%20feature%20only%20applies%20to%20MFA%20Server%20deployment.%3C%2FSTRONG%3E%3C%2FU%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3CNOSCRIPT%3E%3CDIV%20class%3D%22lia-spoiler-noscript-container%22%3E%3CDIV%20class%3D%22lia-spoiler-noscript-content%22%3EAllow%20a%20user%20to%20authenticate%20without%20performing%20two-step%20verification%20for%20a%20limited%20time.%20The%20bypass%20goes%20into%20effect%20immediately%2C%20and%20expires%20after%20the%20specified%20number%20of%20seconds.%20This%20feature%20only%20applies%20to%20MFA%20Server%20deployment.%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FNOSCRIPT%3E%3C%2FDIV%3E%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174734%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174734%22%20slang%3D%22en-US%22%3E%3CP%3ETwo%20things%20-%20it%20doesn't%20have%20to%20a%20be%20a%20mobile%20phone%20-%20it%20could%20be%20any%20predefined%20phone%20such%20as%20a%20landline.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20have%20customers%20where%20the%201st%20MFA%20phone%20is%20a%20users%20mobile%2C%20but%20the%20backup%20is%20the%20%22Secretary%22%20administrative%20assistant%20person.%3C%2FP%3E%0A%3CP%3EThe%20protocol%20is%20if%20UserX%20call%20the%20AA%20and%20gives%20a%20heads%20up%20that%20he%20(the%20AA%20)%20will%20be%20getting%20a%20phone%20call%20from%20MSFT%20auth.%20The%20AA%20puts%20UserX%20on%20hold%20and%20checks%20with%20UserX%20boss%20or%20userX%20calendar%20to%20confirm%20that%20offsite%20and%20also%20tries%20to%20call%20user%20X%20to%20confirm%20no%20answer.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20the%20AA%20tells%20UserX%20to%20go%20ahead%20and%20trigger%20Auth.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECumbersome%20-%20but%20provides%20the%20some%20level%20of%20identification%20anti-spoofing%20verification.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20business%20could%20also%20look%20into%20providing%20a%20non-smart%20phone%20with%20a%20text%20only%20plan%20(aka%20pager).%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20is%20also%20this%20for%20the%20%22I%20forgot%20my%20phone%20at%20home%22%20%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmulti-factor-authentication%2Fmulti-factor-authentication-whats-next%23one-time-bypass%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmulti-factor-authentication%2Fmulti-factor-authentication-whats-next%23one-time-bypass%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174672%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174672%22%20slang%3D%22en-US%22%3E%3CP%3EHavent%20seen%20any%20roadmap%20either%2C%20just%20the%20occasional%20hint%20for%20a%20new%20feature...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174529%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174529%22%20slang%3D%22en-US%22%3Ehope%20so%20thanks.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20dont%20suppose%20services%20like%20Azure%20MFA%20post%20a%20roadmap%20like%20other%20O365%20services%2C%20i've%20yet%20to%20find%20one%20at%20least.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174417%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174417%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20configure%20an%20alternative%20phone%2C%20but%20apart%20from%20that%2C%20no.%20The%20On-Prem%20version%20has%20a%20bypass%20option%20and%20alternative%20method%20via%20security%20questions%2C%26nbsp%3Bthis%20is%20not%20yet%20available%20for%20Azure%20MFA%20(but%20I%20believe%20it's%20coming).%3C%2FP%3E%3C%2FLINGO-BODY%3E
Valued Contributor

We are working on deploying Azure MFA (cloud only).

 

An interesting scenario has come up with users that don't have mobile phones.  While the scenario rare, what is a user to do if (1) they don't have a mobile phone and (2) they are not in a trusted IP location?

 

Same thing could apply if the user forgot their phone at home and was at a customer site, etc. 

 

Does basic Azure MFA have any extra work around at this point in time?

9 Replies

You can configure an alternative phone, but apart from that, no. The On-Prem version has a bypass option and alternative method via security questions, this is not yet available for Azure MFA (but I believe it's coming).

hope so thanks.

I dont suppose services like Azure MFA post a roadmap like other O365 services, i've yet to find one at least.

Havent seen any roadmap either, just the occasional hint for a new feature...

Two things - it doesn't have to a be a mobile phone - it could be any predefined phone such as a landline.

 

I have customers where the 1st MFA phone is a users mobile, but the backup is the "Secretary" administrative assistant person.

The protocol is if UserX call the AA and gives a heads up that he (the AA ) will be getting a phone call from MSFT auth. The AA puts UserX on hold and checks with UserX boss or userX calendar to confirm that offsite and also tries to call user X to confirm no answer.

 

Then the AA tells UserX to go ahead and trigger Auth.

 

Cumbersome - but provides the some level of identification anti-spoofing verification.

 

The business could also look into providing a non-smart phone with a text only plan (aka pager). 

 

There is also this for the "I forgot my phone at home" : https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats...

 

 

The bypass is server-only, read the description:

 

Spoiler
Allow a user to authenticate without performing two-step verification for a limited time. The bypass goes into effect immediately, and expires after the specified number of seconds. This feature only applies to MFA Server deployment.

 

Why is bypass only for on-prem only?  It seems like the cloud MFA admin capabilities are very limited.

That's a question you should be asking Microsoft :)

Hi Brent,

For users not having (or not willing to use their own) mobile phones, the solution is to use hardware tokens. MFA Server on-prem is allowing to use standard OATH TOTP tokens, however, with Cloud MFA the only solution is the programmable tokens.

 

Regards,

Guy

 

Disclaimer: I am affiliated with Token2

 

 

 

 

Windows Azure officially supports DeepNet SafeID hardware tokens which are OATH compliant. You might want to check it out:

http://www.deepnetsecurity.com/authenticators/one-time-password/safeid/
http://wiki.deepnetsecurity.com/display/KB/How+to+Import+SafeID+Token+into+Azure+MFA+Server