Azure MFA – Support for hardware OAth token and multiple MFA devices coming on Azure MFA

You may be already aware of the Azure Multi Factor Authentication (MFA) solution which has been available for quite some time.

Well, good news as Azure MFA is now going to support hardware tokens (OATH-TOTP SHA-1).

As you may already know Azure MFA requires end-user to have a phone available (either mobile or desk phone) to be able to challenge the MFA request – either with a call (desk/mobile), text message or mobile app (request or code).

There is situations when end-users do not have access to a phone and as such can not challenge the MFA request.
Azure MFA is now going to support hardware token for such situation.

Hardware Token

To enable hardware token support, go to your Azure portal and reach out the Azure AD configuration blade to access the MFA Server blade

image

From there, go to the OAuth tokens blade to upload the token/user association

image

You need to upload a CSV file – it is important to keep the model set to HarwareKey

upn,serial number,secret key,timeinterval,manufacturer,model

<user UPN>,<token serial number>,<token secret key>,60,<token manufacturer>,HardwareKey

Once uploaded (which can take few minutes if you have lot of users) you will have to use the Refresh button to get the list refreshed

image

If you get anything else than “Hardware token files uploaded with no errors” please check the error and solve it

image

Then you should see the list of users/tokens you have uploaded

image

You can then active the user/token association by hitting the Active option on the right side

If you need, you can select one or more user/token association and then hit the Delete button to remove it from the configuration

image

Multiple MFA Device

In addition of this hardware token support, end-users can now have multiple device for MFA.

There is nothing to do here. Your end-users just need to register the additional devices for MFA.

This will simplify end-user experience and support process when they loose the primary device configured for MFA.

Leave a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.