Microsoft Previews Hardware OATH Tokens with Azure Multifactor Authentication

Microsoft on Tuesday announced a preview of the ability to use hardware OATH tokens with the Azure multifactor authentication service.

Hardware OATH tokens use physical objects, such as dongles and cards, as part of the identity verification process. These objects can now work with the Azure multifactor authentication service at the preview level, which will enforce a secondary means of verifying a user's identity. The secondary means could be a text message response or a response to an automated phone call before providing network access.

To use the preview, IT pros would need to set up the hardware OATH tokens for users using the Azure Portal's MFA Server "blade" menu item before giving those cards or dongles to those users. Microsoft possibly will move this portal interface to "a better aligned, more aptly named location" later, according to a comment in the announcement by Michael McLaughlin, a Microsoft Tech Community contributor.

Support for Fast IDentity Online 2.0 (FIDO2) isn't there yet. It'll come to the preview stage "early in 2019," according to McLaughlin. FIDO2 is a Web authentication standard that aims to move away from a reliance on passwords for user authentications. It uses "portable private keys" during the authentication scheme, which supposedly thwarts any interlopers with password access.

According to McLaughlin, Microsoft doesn't have plans to support the Universal Second Factor (U2F) protocol of the FIDO standard, which enforces a secondary means of user authentication.

In addition to the hardware support, Microsoft also announced that Azure multifactor authentication now supports "up to five devices in any combination of hardware or software based OATH tokens" when used with the Microsoft Authenticator client application. The five-device support is now the default for all users and it can't be disabled, according to McLaughlin.

However, the multiple device support is only available to organizations using Azure AD multifactor authentication with "an Azure AD Premium P1 or P2 license," according to the announcement. The Azure Portal's MFA Server blade may tell licensees that they're lacking an Azure AD Premium license, McLaughlin noted, but it's currently a "bug" in the interface, he said.

To use the authentication service, organizations need to have OATH tokens from a vendor, such as DeepNet Security, Token2 or Yubico, Microsoft's announcement explained, although the OATH standard itself is vendor-independent. Typically, organizations would use Time-based One-Time Password (TOTP) tokens, which enable user authentications for a short period of time, typically set in 30-second intervals.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Azure Backup for SQL Server Now Commercially Available

    Microsoft on Monday announced that Azure Backup for SQL Server had reached "general availability" status, meaning it's deemed ready for production-environment use.

  • Insights for MyAnalytics Getting Switched On for Office 365 Users This Month

    Microsoft is planning to activate "Insights for MyAnalytics" sometime late this month for most Office 365 users, but the ability of organizations to manage this feature won't be available until possibly mid-May.

  • SharePoint Framework 1.8 Now Generally Available

    Microsoft this week announced that SharePoint Framework 1.8 had reached "general availability" status, although some features are still at the preview stage.

  • How To Create Office 365 User Accounts in Bulk

    Manual account creation can be tedious, time-consuming and prone to human error, especially if you have more than a handful of Office 365 users to set up. Brien shows you a better way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.