cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

MFA with FIDO2 without mobile phone (no SMS or MS Authenticator)

Stefan Kießig
Iron Contributor

‎Feb 05 2024 01:33 PM

‎Feb 05 2024 01:33 PM

MFA with FIDO2 without mobile phone (no SMS or MS Authenticator)

Hello,
I would like to use a FIDO2 key for authentication. I configured the authentication settings to use it.

If the user already has an existing MFA (e.g. MS Authenticator), the FIDO2 key works very well.

How can I use the FIDO2 key for users without an existing MFA (e.g. new users)? The users do not have a business cell phone, so they cannot use SMS or the MS Authenticator.

I configured TPA and can also use it. But after logging in with TPA, I am repeatedly asked to configure the MS Authenticator and cell phone number for SMS authentication. I can't do either because the user doesn't have a work cell phone.

 

Thank you for your help. 

Regards

Stefan

576 Views
0 Likes
4 Replies
Reply
4 Replies
Libby_Brown

‎Feb 05 2024 02:56 PM

‎Feb 05 2024 02:56 PM

Re: MFA with FIDO2 without mobile phone (no SMS or MS Authenticator)

Temporary Access Pass was designed for this scenario - onboarding to FIDO2 as the only additional authentication method. As for why users are getting prompted to register other additional authentication methods, you'd need to check your policies for MFA and SSPR.
1 Like
Reply
LainRobertson

‎Feb 05 2024 04:56 PM

‎Feb 05 2024 04:56 PM

Re: MFA with FIDO2 without mobile phone (no SMS or MS Authenticator)

@Stefan Kießig 

 

Hi, Stefan.

 

In addition to the settings Libby mentioned, you'll want to check the registration campaign settings, as they default to Microsoft-managed and occasionally get in the way of your planned behaviour since Microsoft has a tendency to re-run Authenticator-based campaigns from time to time.

 

 

Cheers,

Lain

1 Like
Reply
Stefan Kießig

‎Feb 11 2024 02:16 AM

‎Feb 11 2024 02:16 AM

Re: MFA with FIDO2 without mobile phone (no SMS or MS Authenticator)

Thank you for your answers. I apologize for replying so late, I was experimenting in my test environment.

During the tests I noticed that I have to enter a unique cell phone or office number in the authentication settings (for the respective user). Then the user is not asked to install and configure the MS Authenticator.

I will take a closer look at the SSPR again. Maybe I can adjust something here.

Best regards and many thanks
Stefan
1 Like
Reply
best response confirmed by Stefan Kießig (Iron Contributor)
Stefan Kießig

‎Feb 14 2024 09:56 AM

‎Feb 14 2024 09:56 AM

Solution

Re: MFA with FIDO2 without mobile phone (no SMS or MS Authenticator)

I have found the solution. It was an old setting. As soon as I deactivated the selected settings, I was no longer asked for additional information.Ohne Titel 31.png

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Stefan Kießig (Iron Contributor)
Stefan Kießig

‎Feb 14 2024 09:56 AM

‎Feb 14 2024 09:56 AM

Solution

Re: MFA with FIDO2 without mobile phone (no SMS or MS Authenticator)

I have found the solution. It was an old setting. As soon as I deactivated the selected settings, I was no longer asked for additional information.Ohne Titel 31.png

View solution in original post

0 Likes
Reply