Microsoft 365 or Azure AD offers the option of using a hardware token with the OATH TOTP standard for MFA instead of the authenticator app. A hardware token is just an alternative option to the classic popup on mobile. Likewise, there are Passwordless login with a FIDO Security Key or the Authenticator app. I have already written two posts on this.

Table of Contents

Why an OATH token?

Many attacks are successfully carried out due to insecure passwords or passwords that have been used more than once. That's why it's clear to me that every account must be protected with MFA or passwordless authentication. Nevertheless, I am always faced with the challenge of having to convince different people and organizations of this. Common counter-arguments are: "Not all my employees are willing to install a business app on their private smartphone." or: ""Some employees don't have a smartphone."
It is precisely in such situations that the well-known, classic hardware tokens can be popular again.

Setup: OATH TOTP hardware token for with Azure MFA

Requirements

  • Azure Active Directory Plan 1 or 2
  • OATH TOTP tokens
    • TOTP (Time-based One-time Password) is important here, HOTP (Hash-based One-time Password) are not supported
    • Example of tokens: Feitian c200 or Token2 c202

Ordering an OATH token

In the case of the non-programmable token, a file with the serial number and secret key must also be requested when ordering. In a second step, this is filled into a CSV with the users (UPN) and imported into Azure AD.
The CSV then looks like this:

upn,serial number,secret key,time interval,manufacturer,model
michael.scott@scloud.work,1234567891011,ABCBISYZQWERTZUIO,30,Feitian,HardwareKeyCode language: CSS (css)

Import and Assignment

In fact, we have already made the assignment with the CSV. Now we have to import this.

To do this, we navigate in Azure AD to the OATH Settings (Security > MFA > OATH tokens) and upload the file. (Only possible as Global Administrator.)

OATH TOTP token upload Azure MFA

After a few seconds and a refresh, the user with the token is visible. The activation link is in the last column. This must be done once per user.

Azure MFA OATH token

We just enter the token shown on the display and click "OK".

OATH activation, Azure MFA

The status is then displayed with a tick as active:

OATH TOTP token activated in Azure MFA

Login with the hardware token

The login within Microsoft 365 or an Azure AD application works in the same way as with the authenticator app. The user enters his username and password and is then prompted to enter the token from the display.

Microsoft 365 Login OATH Hardware token
Microsoft 365 Login OATH Hardware token

1 Response

  1. Daniel says:
    25. January 2022 at 12:48

    There are always a couple of users who don't want to use their 'personal' phone for securing their work accounts, but at the same time, want their emails accessible on it. They will be dragging around a hardware token with them!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Florian Salzmann
Senior Workplace Consultant @UMB AG

Stay in the Loop with My Monthly Newsletter!