Microsoft Previews Hardware OATH Tokens with Azure Multifactor Authentication

Microsoft on Tuesday announced a preview of the ability to use hardware OATH tokens with the Azure multifactor authentication service.

Hardware OATH tokens use physical objects, such as dongles and cards, as part of the identity verification process. These objects can now work with the Azure multifactor authentication service at the preview level, which will enforce a secondary means of verifying a user's identity. The secondary means could be a text message response or a response to an automated phone call before providing network access.

To use the preview, IT pros would need to set up the hardware OATH tokens for users using the Azure Portal's MFA Server "blade" menu item before giving those cards or dongles to those users. Microsoft possibly will move this portal interface to "a better aligned, more aptly named location" later, according to a comment in the announcement by Michael McLaughlin, a Microsoft Tech Community contributor.

Support for Fast IDentity Online 2.0 (FIDO2) isn't there yet. It'll come to the preview stage "early in 2019," according to McLaughlin. FIDO2 is a Web authentication standard that aims to move away from a reliance on passwords for user authentications. It uses "portable private keys" during the authentication scheme, which supposedly thwarts any interlopers with password access.

According to McLaughlin, Microsoft doesn't have plans to support the Universal Second Factor (U2F) protocol of the FIDO standard, which enforces a secondary means of user authentication.

In addition to the hardware support, Microsoft also announced that Azure multifactor authentication now supports "up to five devices in any combination of hardware or software based OATH tokens" when used with the Microsoft Authenticator client application. The five-device support is now the default for all users and it can't be disabled, according to McLaughlin.

However, the multiple device support is only available to organizations using Azure AD multifactor authentication with "an Azure AD Premium P1 or P2 license," according to the announcement. The Azure Portal's MFA Server blade may tell licensees that they're lacking an Azure AD Premium license, McLaughlin noted, but it's currently a "bug" in the interface, he said.

To use the authentication service, organizations need to have OATH tokens from a vendor, such as DeepNet Security, Token2 or Yubico, Microsoft's announcement explained, although the OATH standard itself is vendor-independent. Typically, organizations would use Time-based One-Time Password (TOTP) tokens, which enable user authentications for a short period of time, typically set in 30-second intervals.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Warns SameSite Cookie Changes Could Break Some Apps

    IT pros could face Web application issues as early as next month with the implementation of a coming SameSite Web change, which will affect how cookies are used across sites.

  • Populating a SharePoint Document Library by E-Mail, Part 1

    While Microsoft doesn't allow you to build a SharePoint Online document library using e-mail, there is a roundabout way of getting the job done using the tools that are included with Office 365. Brien shows you how.

  • Microsoft Previews New App Reporting and Consent Tools in Azure AD

    Microsoft last week described a few Azure Active Directory improvements for organizations wanting to connect their applications to Microsoft's identity and access service.

  • Free Software Foundation Asks Microsoft To Release Windows 7 Code

    The Free Software Foundation this week announced that it has established a petition demanding that Microsoft release its proprietary Windows 7 code as free software.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.