Microsoft 365 or Azure AD offers the option of using a hardware token with the OATH TOTP standard for MFA instead of the authenticator app. A hardware token is just an alternative option to the classic popup on mobile. Likewise, there are Passwordless login with a FIDO Security Key or the Authenticator app. I have already written two posts on this.
Table of Contents
Why an OATH token?
Many attacks are successfully carried out due to insecure passwords or passwords that have been used more than once. That's why it's clear to me that every account must be protected with MFA or passwordless authentication. Nevertheless, I am always faced with the challenge of having to convince different people and organizations of this. Common counter-arguments are: "Not all my employees are willing to install a business app on their private smartphone." or: ""Some employees don't have a smartphone."
It is precisely in such situations that the well-known, classic hardware tokens can be popular again.
Setup: OATH TOTP hardware token for with Azure MFA
Requirements
- Azure Active Directory Plan 1 or 2
- OATH TOTP tokens
- TOTP (Time-based One-time Password) is important here, HOTP (Hash-based One-time Password) are not supported
- Example of tokens: Feitian c200 or Token2 c202
Ordering an OATH token
In the case of the non-programmable token, a file with the serial number and secret key must also be requested when ordering. In a second step, this is filled into a CSV with the users (UPN) and imported into Azure AD.
The CSV then looks like this:
upn,serial number,secret key,time interval,manufacturer,model
michael.scott@scloud.work,1234567891011,ABCBISYZQWERTZUIO,30,Feitian,HardwareKey
Code language: CSS (css)
Import and Assignment
In fact, we have already made the assignment with the CSV. Now we have to import this.
To do this, we navigate in Azure AD to the OATH Settings (Security > MFA > OATH tokens) and upload the file. (Only possible as Global Administrator.)
After a few seconds and a refresh, the user with the token is visible. The activation link is in the last column. This must be done once per user.
We just enter the token shown on the display and click "OK".
The status is then displayed with a tick as active:
Login with the hardware token
The login within Microsoft 365 or an Azure AD application works in the same way as with the authenticator app. The user enters his username and password and is then prompted to enter the token from the display.
There are always a couple of users who don't want to use their 'personal' phone for securing their work accounts, but at the same time, want their emails accessible on it. They will be dragging around a hardware token with them!