Inquiry on Alternative MFA Methods for Users Without Mobile Phone Access.

Question

Hello,

I am writing to inquire about alternative multi-factor authentication (MFA) methods for users who are unable to access their mobile phones in our work environment. Given the restrictions on mobile phone usage, it is critical to explore other secure MFA options to maintain our security protocols.

One potential solution we are considering is the use of USB Tokens for two-factor authentication. However, I would like to know if there are other viable MFA methods that can be implemented for our users under these constraints.

Could you please provide information on any available options and their implementation requirements? If needed, I am available for a call to discuss this in more detail and ensure we select the most appropriate solution for our environment.

Thank you for your attention to this matter. Your expertise and guidance in helping us secure our systems while accommodating our operational constraints are greatly appreciated.

BR,

Kevin Dule

Answer 1

Hello @Kevin Dule,

Thank you for posting your query on Microsoft Q&A.

I understand that in your work environment, users are not permitted to use mobile devices. Consequently, they are unable to utilize methods such as Microsoft Authenticator, phone calls, or SMS for multifactor authentication. You are considering implementing USB Tokens (OATH hardware tokens) for two-factor authentication and would like to explore other authentication methods that can be used within these constraints.

Given these limitations, users can complete MFA using methods such as Passkey (FIDO2), certificate-based authentication, OATH hardware tokens (preview), and Windows Hello for Business.

For more information on secure authentication methods, please refer to the following document:

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods

Passkey (FIDO2), certificate-based authentication, and Windows Hello for Business are passwordless authentication methods that can be used for both the first and second factors. For further details on passwordless authentication, you can refer to:

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless

These resources will provide comprehensive insights into implementing secure and passwordless authentication solutions in your environment.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Thanks,
Raja Pothuraju.

Answer 2

Kevin,

Raja has provided some excellent links on authentication method concepts and passwordless authentication. If the issue is merely that end-users don't have cell signal or can't put their phones on the network then they could still use the OTP from Microsoft Authenticator on their mobile devices.

Let's assume that still isn't an option. Then your next best bet for low cost MFA is Windows Hello for Business. However, this only works if your users have computers assigned to them. If instead the users just use whatever computer is available they would need to keep registering for Windows Hello each time they go to a new computer. Same challenge applies to Certificate Based Authentication (CBA) unless it is stored on a Smart Card.

If Windows Hello isn't option because users aren't assigned to use the same computer over and over again, then Passkeys stored on tokens like SwissBit, Hideez, or Yubikey will work. Which does mean making some purchases, providing training to the end users and having a plan for users that forget their token.