Home

Azure MFA (but dont always have a phone)?

%3CLINGO-SUB%20id%3D%22lingo-sub-174270%22%20slang%3D%22en-US%22%3EAzure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174270%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20working%20on%20deploying%20Azure%20MFA%20(cloud%20only).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAn%20interesting%20scenario%20has%20come%20up%20with%20users%20that%20don't%20have%20mobile%20phones.%26nbsp%3B%20While%20the%20scenario%20rare%2C%20what%20is%20a%20user%20to%20do%20if%20(1)%20they%20don't%20have%20a%20mobile%20phone%20and%20(2)%20they%20are%20not%20in%20a%20trusted%20IP%20location%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESame%20thing%20could%20apply%20if%20the%20user%20forgot%20their%20phone%20at%20home%20and%20was%20at%20a%20customer%20site%2C%20etc.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDoes%20basic%20Azure%20MFA%20have%20any%20extra%20work%20around%20at%20this%20point%20in%20time%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-174270%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277840%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277840%22%20slang%3D%22en-US%22%3E%3CP%3EWindows%20Azure%20officially%20supports%20DeepNet%20SafeID%20hardware%20tokens%20which%20are%20OATH%20compliant.%20You%20might%20want%20to%20check%20it%20out%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.deepnetsecurity.com%2Fauthenticators%2Fone-time-password%2Fsafeid%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.deepnetsecurity.com%2Fauthenticators%2Fone-time-password%2Fsafeid%2F%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fwiki.deepnetsecurity.com%2Fdisplay%2FKB%2FHow%2Bto%2BImport%2BSafeID%2BToken%2Binto%2BAzure%2BMFA%2BServer%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwiki.deepnetsecurity.com%2Fdisplay%2FKB%2FHow%2Bto%2BImport%2BSafeID%2BToken%2Binto%2BAzure%2BMFA%2BServer%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-260092%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-260092%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Brent%2C%3C%2FP%3E%3CP%3EFor%20users%20not%20having%20(or%20not%20willing%20to%20use%20their%20own)%20mobile%20phones%2C%20the%20solution%20is%20to%20use%20hardware%20tokens.%20MFA%20Server%20on-prem%26nbsp%3Bis%20allowing%20to%20use%20standard%20OATH%20TOTP%20tokens%2C%20however%2C%20with%20Cloud%20MFA%20the%20only%20%3CA%20href%3D%22https%3A%2F%2Fwww.token2.com%2Fsite%2Fpage%2Fhardware-tokens-for-azure-cloud-multi-factor-authentication%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Esolution%3C%2FA%3E%20is%20the%20programmable%20tokens.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EGuy%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDisclaimer%3A%20I%20am%20affiliated%20with%20Token2%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-182782%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-182782%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20a%20question%20you%20should%20be%20asking%20Microsoft%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-182603%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-182603%22%20slang%3D%22en-US%22%3E%3CP%3EWhy%20is%20bypass%20only%20for%20on-prem%20only%3F%26nbsp%3B%20It%20seems%20like%20the%20cloud%20MFA%20admin%20capabilities%20are%20very%20limited.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174868%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174868%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20bypass%20is%20server-only%2C%20read%20the%20description%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20class%3D%22lia-spoiler-container%22%3E%3CA%20class%3D%22lia-spoiler-link%22%20href%3D%22%23%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ESpoiler%3C%2FA%3E%3CNOSCRIPT%3E(Highlight%20to%20read)%3C%2FNOSCRIPT%3E%3CDIV%20class%3D%22lia-spoiler-border%22%3E%3CDIV%20class%3D%22lia-spoiler-content%22%3E%0A%3CDIV%20class%3D%22ext-ad-mfa-container-spacing-header%22%20data-bind%3D%22text%3A%20clientResources.oneTimeBypassBladeDescription%22%3EAllow%20a%20user%20to%20authenticate%20without%20performing%20two-step%20verification%20for%20a%20limited%20time.%20The%20bypass%20goes%20into%20effect%20immediately%2C%20and%20expires%20after%20the%20specified%20number%20of%20seconds.%20%3CU%3E%3CSTRONG%3EThis%20feature%20only%20applies%20to%20MFA%20Server%20deployment.%3C%2FSTRONG%3E%3C%2FU%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3CNOSCRIPT%3E%3CDIV%20class%3D%22lia-spoiler-noscript-container%22%3E%3CDIV%20class%3D%22lia-spoiler-noscript-content%22%3EAllow%20a%20user%20to%20authenticate%20without%20performing%20two-step%20verification%20for%20a%20limited%20time.%20The%20bypass%20goes%20into%20effect%20immediately%2C%20and%20expires%20after%20the%20specified%20number%20of%20seconds.%20This%20feature%20only%20applies%20to%20MFA%20Server%20deployment.%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FNOSCRIPT%3E%3C%2FDIV%3E%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174734%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174734%22%20slang%3D%22en-US%22%3E%3CP%3ETwo%20things%20-%20it%20doesn't%20have%20to%20a%20be%20a%20mobile%20phone%20-%20it%20could%20be%20any%20predefined%20phone%20such%20as%20a%20landline.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20have%20customers%20where%20the%201st%20MFA%20phone%20is%20a%20users%20mobile%2C%20but%20the%20backup%20is%20the%20%22Secretary%22%20administrative%20assistant%20person.%3C%2FP%3E%0A%3CP%3EThe%20protocol%20is%20if%20UserX%20call%20the%20AA%20and%20gives%20a%20heads%20up%20that%20he%20(the%20AA%20)%20will%20be%20getting%20a%20phone%20call%20from%20MSFT%20auth.%20The%20AA%20puts%20UserX%20on%20hold%20and%20checks%20with%20UserX%20boss%20or%20userX%20calendar%20to%20confirm%20that%20offsite%20and%20also%20tries%20to%20call%20user%20X%20to%20confirm%20no%20answer.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20the%20AA%20tells%20UserX%20to%20go%20ahead%20and%20trigger%20Auth.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECumbersome%20-%20but%20provides%20the%20some%20level%20of%20identification%20anti-spoofing%20verification.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20business%20could%20also%20look%20into%20providing%20a%20non-smart%20phone%20with%20a%20text%20only%20plan%20(aka%20pager).%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20is%20also%20this%20for%20the%20%22I%20forgot%20my%20phone%20at%20home%22%20%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmulti-factor-authentication%2Fmulti-factor-authentication-whats-next%23one-time-bypass%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmulti-factor-authentication%2Fmulti-factor-authentication-whats-next%23one-time-bypass%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174672%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174672%22%20slang%3D%22en-US%22%3E%3CP%3EHavent%20seen%20any%20roadmap%20either%2C%20just%20the%20occasional%20hint%20for%20a%20new%20feature...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174529%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174529%22%20slang%3D%22en-US%22%3Ehope%20so%20thanks.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20dont%20suppose%20services%20like%20Azure%20MFA%20post%20a%20roadmap%20like%20other%20O365%20services%2C%20i've%20yet%20to%20find%20one%20at%20least.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174417%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(but%20dont%20always%20have%20a%20phone)%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174417%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20configure%20an%20alternative%20phone%2C%20but%20apart%20from%20that%2C%20no.%20The%20On-Prem%20version%20has%20a%20bypass%20option%20and%20alternative%20method%20via%20security%20questions%2C%26nbsp%3Bthis%20is%20not%20yet%20available%20for%20Azure%20MFA%20(but%20I%20believe%20it's%20coming).%3C%2FP%3E%3C%2FLINGO-BODY%3E
Brent Ellis
Valued Contributor

We are working on deploying Azure MFA (cloud only).

 

An interesting scenario has come up with users that don't have mobile phones.  While the scenario rare, what is a user to do if (1) they don't have a mobile phone and (2) they are not in a trusted IP location?

 

Same thing could apply if the user forgot their phone at home and was at a customer site, etc. 

 

Does basic Azure MFA have any extra work around at this point in time?

9 Replies

You can configure an alternative phone, but apart from that, no. The On-Prem version has a bypass option and alternative method via security questions, this is not yet available for Azure MFA (but I believe it's coming).

hope so thanks.

I dont suppose services like Azure MFA post a roadmap like other O365 services, i've yet to find one at least.

Havent seen any roadmap either, just the occasional hint for a new feature...

Two things - it doesn't have to a be a mobile phone - it could be any predefined phone such as a landline.

 

I have customers where the 1st MFA phone is a users mobile, but the backup is the "Secretary" administrative assistant person.

The protocol is if UserX call the AA and gives a heads up that he (the AA ) will be getting a phone call from MSFT auth. The AA puts UserX on hold and checks with UserX boss or userX calendar to confirm that offsite and also tries to call user X to confirm no answer.

 

Then the AA tells UserX to go ahead and trigger Auth.

 

Cumbersome - but provides the some level of identification anti-spoofing verification.

 

The business could also look into providing a non-smart phone with a text only plan (aka pager). 

 

There is also this for the "I forgot my phone at home" : https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats...

 

 

The bypass is server-only, read the description:

 

Spoiler
Allow a user to authenticate without performing two-step verification for a limited time. The bypass goes into effect immediately, and expires after the specified number of seconds. This feature only applies to MFA Server deployment.

 

Why is bypass only for on-prem only?  It seems like the cloud MFA admin capabilities are very limited.

That's a question you should be asking Microsoft :)

Hi Brent,

For users not having (or not willing to use their own) mobile phones, the solution is to use hardware tokens. MFA Server on-prem is allowing to use standard OATH TOTP tokens, however, with Cloud MFA the only solution is the programmable tokens.

 

Regards,

Guy

 

Disclaimer: I am affiliated with Token2

 

 

 

 

Windows Azure officially supports DeepNet SafeID hardware tokens which are OATH compliant. You might want to check it out:

http://www.deepnetsecurity.com/authenticators/one-time-password/safeid/
http://wiki.deepnetsecurity.com/display/KB/How+to+Import+SafeID+Token+into+Azure+MFA+Server