{"id":838,"date":"2022-01-25T07:00:00","date_gmt":"2022-01-25T06:00:00","guid":{"rendered":"https:\/\/scloud.work\/?p=838"},"modified":"2023-08-28T11:44:48","modified_gmt":"2023-08-28T09:44:48","slug":"azure-mfa-hardware-token-oath-totp","status":"publish","type":"post","link":"https:\/\/scloud.work\/azure-mfa-hardware-token-oath-totp\/","title":{"rendered":"Azure MFA: Return of the Hardware Token (OATH TOTP)"},"content":{"rendered":"\n
Microsoft 365 or Azure AD offers the option of using a hardware token with the OATH TOTP standard for MFA instead of the authenticator app. A hardware token is just an alternative option to the classic popup on mobile. Likewise, there are Passwordless login with a FIDO Security Key<\/a> or the Authenticator app<\/a>. I have already written two posts on this.<\/p>\n\n\n Many attacks are successfully carried out due to insecure passwords or passwords that have been used more than once. That's why it's clear to me that every account must be protected with MFA or passwordless authentication. Nevertheless, I am always faced with the challenge of having to convince different people and organizations of this. Common counter-arguments are: \"Not all my employees are willing to install a business app on their private smartphone.\" or: \"\"Some employees don't have a smartphone.\" In the case of the non-programmable token, a file with the serial number and secret key must also be requested when ordering. In a second step, this is filled into a CSV with the users (UPN) and imported into Azure AD. In fact, we have already made the assignment with the CSV. Now we have to import this.<\/p>\n\n\n\n To do this, we navigate in Azure AD to the OATH Settings (Security > MFA > OATH tokens<\/a>) and upload the file. (Only possible as Global Administrator.)<\/strong> <\/p>\n\n\n\nTable of Contents<\/h2>\n
\n
Why an OATH token?<\/h2>\n\n\n
It is precisely in such situations that the well-known, classic hardware tokens can be popular again.<\/p>\n\n\nSetup: OATH TOTP hardware token for with Azure MFA<\/h2>\n\n
Requirements<\/h3>\n\n\n
\n
\n
Ordering an OATH token<\/h3>\n\n\n
The CSV then looks like this:<\/p>\n\n\nupn<\/span>,serial<\/span> number<\/span>,secret<\/span> key<\/span>,time<\/span> interval<\/span>,manufacturer<\/span>,model<\/span>\nmichael<\/span>.scott<\/span>@scloud<\/span>.work,1234567891011,ABCBISYZQWERTZUIO,30,Feitian,HardwareKey<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n
Import and Assignment<\/h3>\n\n\n