We are constantly trying to get more security on login other then username and password, so Multi Factor Authentication (MFA) is a good solution, MFA combined with Azure AD conditional Access it a even better way. MFA is relatively easy to implement in a organisation where the end user has a company owned mobile phone or the end user is willing to use there own mobile phone, but there are industries where this is not possible so we need another solution
In October 2018 Microsoft announced the availability of OATH hardware token support in Azure MFA.
In my opinion it is a great alternative for Microsoft Authenticator app when the end user do not have a mobile device for a reason, but there is a overhead of administrative task like keeping control over what user have witch hardware token, but that just require a process and then you are ready to go.
I have testes :
In this case I do not like the Yubico key do to the requirement of a app – in this blog post I will show and tell of the process with the Token2 key – but because OATH is a standard, you’re not locked to a single vendor.
When you have purchase the OATH hardware keys from your vendor, there is some work you need to do:
- Send a mail to Token2 at office@token2.com with the serial numbers for you hardware tokens
- You are getting a .csv back with the secret key, serial number, time interval, manufacturer, and model for each token.
- Then you have to replace user@domain.tld with your end users UPN
- Upload the .csv file to the AzureMFA
- Activate the hardware tokens in Azure MFA
- Deliver the right hardware token to the right end user
Then you are ready to go.
Requirement:
Azure AD P1 or P2
Hardware OATH token
How to get the hardware token .csv file into Azure MFA:
Start your favorite portal for Azure AD : https://aad.portal.azure.com
- Click Azure Active Directory
- Click MFA
- Click OATH tokens
- Click Upload
Point to your .csv file you got from Token2 or any other vendor you have
After a success upload of the .csv file you can see a status – also if somethings have failed
Then you just need to activate the hardware token by clicking Activate
You will be prompted for a verification code that you get from the hardware token
After activation your tokens you can see the activation status in the portal
That is all you need to do – now you can deliverer the right hardware token to the right end user!
How does the end user experience look like:
When you get the sign in page for Azure AD the end user just enters there username as normal
After they entered the password – they will get the MFA challenge in this case a 5 digit code from the hardware token.
Some times the end user get a message that Azure AD need more information
Then they just need to verify there hardware token.
Happy deployment!
Read more:
Hardware OATH tokens in Azure MFA in the cloud are now available
Cloud First 
nice article! Can a token be reused for another user?
The procedure is very similar when using deepnet security’s SaefID hardware tokens. Another alternative is to use a reprogrammable token like their Diamond token (after reprogramming the token effectively emulates an authenticator app and so can be used wherever the apps are used.
Deepnet’s SafeID hardware token can also be used to provide Azure Multi-Factor authentication on cloud and On-Premises Servers and they also have programmable tokens that can be used (see link below):
http://www.deepnetsecurity.com/authenticators/one-time-password/safeid/
HI. This useful blog post details a succesful import, but what about an unsuccesful? The secret key cannot apparently contain “1”. I have a token with a seed that contains “1” so the import fails.
Is the seed value the same as the secret key? Do I need to encode the seed in anyway?