I’m excited to announce the public preview of hardware OATH tokens in Azure Multi-Factor Authentication (Azure MFA) in the cloud! We’ve had several phone-based methods available since launching Azure MFA, and we’ve seen incredible adoption. But many of our customers have users who don’t have a phone available when they need to authenticate. Today, MFA is available for those users too!
At the same time, we added support for multiple MFA devices. Your users can now have up to five devices in any combination of hardware or software based OATH tokens and the Microsoft Authenticator app. This gives them the ability to have backup devices ready when they need them and to use different types of credentials in different environments.
Multiple device support is available for all users with Azure Active Directory (Azure AD) MFA in the cloud. Hardware OATH tokens are available for users with an Azure AD Premium P1 or P2 license.
Check out our credential docs and read on to try out hardware OATH tokens in your tenant.
Support for OATH tokens for Azure MFA in the cloud
First, you will need some OATH tokens from the vendor of your choice. You can use any OATH TOTP token with a 30- or 60-second refresh that has a secret key of 128 characters or less. Some vendors include:
Because OATH is a standard, you’re not locked to a single vendor or form factor. Once you purchase the keys from your vendor, they need to send you a file with a secret key, serial number, time interval, manufacturer, and model for each token.
To assign the tokens to users, edit that file to add your user’s user principal names (usually their email address) and then upload it to Azure Portal > Azure Active Directory > MFA Server > OATH tokens. Make sure to use the format described in the docs—the secret is in base 32! Also keep the header row in the file. Then, activate each token and hand them out to your users.
Support for multiple devices in Azure MFA
In addition to hardware tokens, we also rolled out support for multiple authenticator devices. Your users can now have up to five devices across the Authenticator app, software OATH tokens, and hardware OATH tokens. This is great to give your users different devices for different environments and to let them have backup devices in case they lose one or forget one at home.
Multiple device support is available today for all users—there’s nothing you need to do to get started!
These are just the start of a lot of changes we’re making to MFA and authentication in Azure as we drive toward a password-less future, so stay tuned here to learn more about the amazing developments as they come.
You can also let us know what you think in the comments below. As always, we’d love to hear any feedback or suggestions you have.