Microsoft Previews Hardware OATH Tokens with Azure Multifactor Authentication

Microsoft on Tuesday announced a preview of the ability to use hardware OATH tokens with the Azure multifactor authentication service.

Hardware OATH tokens use physical objects, such as dongles and cards, as part of the identity verification process. These objects can now work with the Azure multifactor authentication service at the preview level, which will enforce a secondary means of verifying a user's identity. The secondary means could be a text message response or a response to an automated phone call before providing network access.

To use the preview, IT pros would need to set up the hardware OATH tokens for users using the Azure Portal's MFA Server "blade" menu item before giving those cards or dongles to those users. Microsoft possibly will move this portal interface to "a better aligned, more aptly named location" later, according to a comment in the announcement by Michael McLaughlin, a Microsoft Tech Community contributor.

Support for Fast IDentity Online 2.0 (FIDO2) isn't there yet. It'll come to the preview stage "early in 2019," according to McLaughlin. FIDO2 is a Web authentication standard that aims to move away from a reliance on passwords for user authentications. It uses "portable private keys" during the authentication scheme, which supposedly thwarts any interlopers with password access.

According to McLaughlin, Microsoft doesn't have plans to support the Universal Second Factor (U2F) protocol of the FIDO standard, which enforces a secondary means of user authentication.

In addition to the hardware support, Microsoft also announced that Azure multifactor authentication now supports "up to five devices in any combination of hardware or software based OATH tokens" when used with the Microsoft Authenticator client application. The five-device support is now the default for all users and it can't be disabled, according to McLaughlin.

However, the multiple device support is only available to organizations using Azure AD multifactor authentication with "an Azure AD Premium P1 or P2 license," according to the announcement. The Azure Portal's MFA Server blade may tell licensees that they're lacking an Azure AD Premium license, McLaughlin noted, but it's currently a "bug" in the interface, he said.

To use the authentication service, organizations need to have OATH tokens from a vendor, such as DeepNet Security, Token2 or Yubico, Microsoft's announcement explained, although the OATH standard itself is vendor-independent. Typically, organizations would use Time-based One-Time Password (TOTP) tokens, which enable user authentications for a short period of time, typically set in 30-second intervals.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • RAMBleed Side-Channel Attack Method Disclosed by Researchers

    Academic researchers this week published information about another side-channel attack method, called "RAMBleed," that can expose information from memory chips, including encryption key information.

  • Penguin

    Windows 10 Preview Build 18917 Shows Off New Linux Integration

    Microsoft's latest Windows 10 "fast-ring" preview release is showcasing a coming Delivery Optimization enhancement, along with the ability to try the newly emerged Windows Subsystem for Linux version 2.

  • Customizing Microsoft Office 365

    While the overall look and feel of Office 365 is pretty standard across organizations, there are several ways to personalize it and make it fit better with your company's specific needs.

  • Microsoft 365 Business Tenants Getting Conditional Access and Trouble-Ticket Features

    Microsoft added its conditional access security service to Microsoft 365 Business subscriptions, according to a Wednesday announcement, and it also added new trouble-ticket features for Microsoft 365 administrators.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.