Microsoft 365 or Azure AD offers the option of using a hardware token with the OATH TOTP standard for MFA instead of the authenticator app. A hardware token is just an alternative option to the classic popup on mobile. Likewise, there are Passwordless login with a FIDO Security Key or the Authenticator app. I have already written two posts on this.
Table of Contents
- Why an OATH token?
- Setup: OATH TOTP hardware token for with Azure MFA
- Login with the hardware token
Why an OATH token?
Many attacks are successfully carried out due to insecure passwords or passwords that have been used more than once. That's why it's clear to me that every account must be protected with MFA or passwordless authentication. Nevertheless, I am always faced with the challenge of having to convince different people and organizations of this. Common counter-arguments are: "Not all my employees are willing to install a business app on their private smartphone." or: ""Some employees don't have a smartphone."
It is precisely in such situations that the well-known, classic hardware tokens can be popular again.
Setup: OATH TOTP hardware token for with Azure MFA
- Azure Active Directory Plan 1 or 2
- OATH TOTP tokens
Ordering an OATH token
In the case of the non-programmable token, a file with the serial number and secret key must also be requested when ordering. In a second step, this is filled into a CSV with the users (UPN) and imported into Azure AD.
The CSV then looks like this:
upn,serial number,secret key,time interval,manufacturer,model email@example.com,1234567891011,ABCBISYZQWERTZUIO,30,Feitian,HardwareKeyCode language: CSS (css)
Import and Assignment
In fact, we have already made the assignment with the CSV. Now we have to import this.
To do this, we navigate in Azure AD to the OATH Settings (Security > MFA > OATH tokens) and upload the file. (Only possible as Global Administrator.)
After a few seconds and a refresh, the user with the token is visible. The activation link is in the last column. This must be done once per user.
We just enter the token shown on the display and click "OK".
The status is then displayed with a tick as active:
Login with the hardware token
The login within Microsoft 365 or an Azure AD application works in the same way as with the authenticator app. The user enters his username and password and is then prompted to enter the token from the display.