You may be already aware of the Azure Multi Factor Authentication (MFA) solution which has been available for quite some time.
Well, good news as Azure MFA is now going to support hardware tokens (OATH-TOTP SHA-1).
As you may already know Azure MFA requires end-user to have a phone available (either mobile or desk phone) to be able to challenge the MFA request – either with a call (desk/mobile), text message or mobile app (request or code).
There is situations when end-users do not have access to a phone and as such can not challenge the MFA request.
Azure MFA is now going to support hardware token for such situation.
Hardware Token
To enable hardware token support, go to your Azure portal and reach out the Azure AD configuration blade to access the MFA Server blade
From there, go to the OAuth tokens blade to upload the token/user association
You need to upload a CSV file – it is important to keep the model set to HarwareKey
upn,serial number,secret key,timeinterval,manufacturer,model
<user UPN>,<token serial number>,<token secret key>,60,<token manufacturer>,HardwareKey
Once uploaded (which can take few minutes if you have lot of users) you will have to use the Refresh button to get the list refreshed
If you get anything else than “Hardware token files uploaded with no errors” please check the error and solve it
Then you should see the list of users/tokens you have uploaded
You can then active the user/token association by hitting the Active option on the right side
If you need, you can select one or more user/token association and then hit the Delete button to remove it from the configuration
Multiple MFA Device
In addition of this hardware token support, end-users can now have multiple device for MFA.
There is nothing to do here. Your end-users just need to register the additional devices for MFA.
This will simplify end-user experience and support process when they loose the primary device configured for MFA.