azure mfa review
About three months ago Microsoft has announced the availability of OATH TOTP hardware tokens in Azure MFA. The feature is still in “public preview”, but we see many of our customers using the feature in production already now. As we are testing this for the last couple of months in our lab environment and, in many cases, we are also assisting our customers with the activation of the feature, we have some observations that we believe are worth sharing.
There are no exact specifications published by Microsoft about whether time drift will be detected and adjusted accordingly on the server side, but since they mentioned that the implementation is based on RFC 6238, this may indirectly mean the time drift is supported. Time skew support details are also not disclosed, but it was easier to find out by experimenting using our TOTP toolset; it turns out that Azure MFA allows OTP codes from within 900 seconds time range. With such a large skew allowance, time drift adjustments are not even necessary.
Surprisingly, Azure MFA allows assigning the same hardware token to multiple users. It allows not only duplicate base32 seeds, but also serial numbers and models even within the same tenant.
This is not a new observation, it was clearly mentioned that hardware token activation requires Azure AD P1 or P2 licenses. We had a few customers willing to benefit from introducing hardware tokens with their Office 365 subscriptions, but not ready to pay around 5-6EUR per user per month just for such a trivial feature.
Our recommendation for this case is to use one of our programmable hardware tokens. There is no additional license needed for that (as our programmable tokens are “seen” by the system as Authenticator apps) as MFA is available on all Office 365 subscriptions starting from Business Essentials.
27-08-2019Token2 T2F2 FIDO2 and U2F Security Key
26-08-2019Product Improvement Announcement - OTPC-N
16-05-2019Integration guide Bitwarden Regular account
01-05-2016Integration guide for Sophos UTM and XG Firewall
08-04-2019Token2 C301 - programmable keyfob token with restricted time sync
27-03-2019Token2 miniOTP-3 programmable card with restricted time sync
31-01-2019Yet another review of OATH hardware tokens feature in Azure Cloud MFA
22-01-2019Programmable TOTP token in a key fob form-factor
12-01-2019TOKEN2 NFC Burner Windows application
07-01-2019Introducing world's first programmable TOTP tokens with time sync
03-12-2018Token2 TOTP Toolset
14-11-2018New product: OTPC-N1 - OTP Display card