Forum Discussion
MFA with FIDO2 without mobile phone (no SMS or MS Authenticator)
Hello,
I would like to use a FIDO2 key for authentication. I configured the authentication settings to use it.
If the user already has an existing MFA (e.g. MS Authenticator), the FIDO2 key works very well.
How can I use the FIDO2 key for users without an existing MFA (e.g. new users)? The users do not have a business cell phone, so they cannot use SMS or the MS Authenticator.
I configured TPA and can also use it. But after logging in with TPA, I am repeatedly asked to configure the MS Authenticator and cell phone number for SMS authentication. I can't do either because the user doesn't have a work cell phone.
Thank you for your help.
Regards
Stefan
I have found the solution. It was an old setting. As soon as I deactivated the selected settings, I was no longer asked for additional information.
- Temporary Access Pass was designed for this scenario - onboarding to FIDO2 as the only additional authentication method. As for why users are getting prompted to register other additional authentication methods, you'd need to check your policies for MFA and SSPR.
Hi, Stefan.
In addition to the settings Libby mentioned, you'll want to check the registration campaign settings, as they default to Microsoft-managed and occasionally get in the way of your planned behaviour since Microsoft has a tendency to re-run Authenticator-based campaigns from time to time.
- How to run a registration campaign to set up Microsoft Authenticator - Microsoft Entra ID | Microsoft Learn
- Microsoft Entra new feature and change announcements - Microsoft Community Hub (i.e. an example of Microsoft initiating a potentially unwanted campaign)
Cheers,
Lain
- Thank you for your answers. I apologize for replying so late, I was experimenting in my test environment.
During the tests I noticed that I have to enter a unique cell phone or office number in the authentication settings (for the respective user). Then the user is not asked to install and configure the MS Authenticator.
I will take a closer look at the SSPR again. Maybe I can adjust something here.
Best regards and many thanks
Stefan I have found the solution. It was an old setting. As soon as I deactivated the selected settings, I was no longer asked for additional information.
