Forum Discussion
MFA without a Cellphone
This is becoming a bigger issue more and more. We cannot, as a company, require our Employees to use a personal cellphone to get text codes or install work apps to authenticate our work accounts.
We supply these users with a Business Voice license so they can make business calls and accept business calls.
All of our employees have corporately paid laptops running Windows 10 and all have SharePoint, Email, OneDrive, Teams etc.
Microsoft does not offer the authenticator app on Windows 10 so we can't use that method.
So what do we do? Leave all these accounts vulnerable? I've read about using "landlines" for authentication then Microsoft says that's not secure but then provides no guidance on exactly how we're supposed to do this.
We cannot be expected to pay for a cellphone for all these users just to use one app. That's ridiculous.
- I'm looking to use this: https://github.com/winauth/winauth for this exact issue. Might be your saving grace 🙂
- I have researched this pretty extensively for a customer and here are the challenges we have to overcome:
1. Customer does not want AD FS, so we chose to go with Pass-Through Authentication as an alternative.
2. They have a stand-alone CA, bad practice, but it is what we are working with
3. Moving to a pure cloud infrastructure, Azure IaaS, Azure AD with Synchronized Identities
4. Wants to have MFA at the device level and for M365 Services
Here are a couple options I presented to the customer:
First, I presented Cloud Trust Setup for Windows Hello for Business (WHfB). https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust
This would allow the customer to deploy FIDO2 Keys like Yubikey to the employees, but would still require the initial setup of MFA in Azure AD (MS Authenticator App, Text, etc...)
The second option is setup the environment to handle Yubikey deplpoyment, https://support.yubico.com/hc/en-us/articles/360015654500-Setting-up-Windows-Server-for-YubiKey-PIV-Authentication, but would require AD FS for authentication for M365 services. This is not too big of an issue for the customer because they require a connection to their network prior to login, so authentication hits the DCs. Mind you, most of the organization is remote, but would still cause the requirement to setup AD FS which the customer does not want.
Third option is the Key Trust model for Windows Hello for Business, https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust, similar to option two, but still need AD FS.
So, to conclude, the customer either needs to accept the deployment of AD FS in their environment which can enforce MFA with cert based authentication, OR Deploy the Cloud Trust Model which is still in preview, OR KeyTrust Model and still need people to register a device for text or MS Auth app.
Unfortunately I have not been able to find any other options, but hope this helps your situation.- Here is a solution to this issue.
https://www.youtube.com/watch?v=OjfdFPIu2KI- Do we HAVE to go passwordless for this to work? We have to pre-setup all of our users and their PCs and apps and have to have a password for this to work.
- FIDO Key is more secure than any other method and yet it is not a valid method. It doesn't make sense.
- Until MS pull their finger out there is no alternative to setting either a mobile call, sms message or an authenticator app. I'm not sure what MS are waiting for?
- In mysignins.microsoft.com, one can select "Office phone." When it calls, you can press the # key to sign in. This may depend on your AD settings.
- Have you found a solution yet? I thought we could use SafeID OATH TOTP hardware tokens but in the MFA settings in Azure, when you select the method of notification 'hardware token' is combine with authenticator app. so you're still stuck with expecting users to have a smartphone whether it's their personal or work. Like you, we have users that do not have company smartphones and can't rely on their personal phones to authenticate.
- I bought a Yubikey 5 USB-C but have not had a chance yet to test it out. Hoping it works. It's expensive ($65 in Canada) but still cheaper than a cellphone plan.
Noting that your post is from many months ago, I was wondering what, if any, solution you eventually settled on. Did you proceed with the Yubikey solution, select another, or are you still researching alternatives? I would greatly appreciate an update as we too are now looking for a similar solution. Thankyou.
- This is an interesting topic. Previously, I didn't think twice about using a cell phone for MFA but it makes sense that asking employees to use personal devices for work is not always acceptable. I created a couple videos, one on MFA with an OATH token. This is an alternative to the Microsoft Authenticator app.
https://youtu.be/vG_NqiffqcI
I did another on FIDO2 keys for passwordless authentication.
https://youtu.be/XJwGvqUYEkg
I hope this is helpful,
-Travis- Awesome video thank you. If a user needs to access their email or access a SharePoint site on tablet that does not have a USB connection, will they just connect the yubikey to their work laptop and will they be shown the code so that they can type it in on the other device?
- The Yubikey is NFC capable, so if the device supports NFC, the Yubico authenticator app on the device can get the code without USB.
- Have you considered Hybrid Azure AD Join the user’s computers and then create a conditional access policy that disables MFA for log ins from a hybrid joined device? The logic is, the hybrid joined device is a second factor in the log in process.
I dont see that as a valid option. Yes people can use hybrid AD so the device you are on is a trusted device on a trusted IP so it wouldn't require the MFA while on premise. However you still want MFA to be registered so that would-be attackers outside are not able to register your MFA instead. You still need the end user to be able to register the MFA so others cannot. TravisRoberts
Chet2142 I would like to think, your point is clearly understood, at least from this side of the looking glass.
I don't get it. I've done voice verif. by a robot calling me on my landline, 'Hit 9 to continue this call"... "please enter the following phrase on your computer". It's not that far of a conceptual reach, you know, even dell can kinda grasp that, kinda.
I keep hearing that, that is an option, even from the mighty MS AI Bot, that is a baffling pt, till you paste a screen shot, showing that there is no option for a call.
But, i'm sure it's just me, why on earth would it make sense to continue to ask the same questions, but somehow, in my gray matter, i'm thinking i'm going to get some 'NEW DATA', and 3 hrs later i relised what happened last time,, yah, made to d/l this get that, fill this out, blah blah blah. Waste 3 hrs of your time, with the exact same out come as the time before and the time before that.
We have the same problem here in germany. Employees couldn't be foreced to use their personal devices for MFA.
FIDO2 Sticks could be a possibile solution this problem. They are a lot cheaper than a smartphone.
- I guess there is option to receive code in "TEXT" or in another "email address".
- that option also forces the employee to provide either their personal cell phone or their personal email address.
- How do you receive a text without a cellphone? We cannot force our Employees to use a personal cellphone number to receive codes. There is no way to authenticate MFA to email.
