Microsoft Previews Hardware OATH Tokens with Azure Multifactor Authentication
Microsoft on Tuesday announced a preview of the ability to use hardware OATH tokens with the Azure multifactor authentication service.
Hardware OATH tokens use physical objects, such as dongles and cards, as part of the identity verification process. These objects can now work with the Azure multifactor authentication service at the preview level, which will enforce a secondary means of verifying a user's identity. The secondary means could be a text message response or a response to an automated phone call before providing network access.
To use the preview, IT pros would need to set up the hardware OATH tokens for users using the Azure Portal's MFA Server "blade" menu item before giving those cards or dongles to those users. Microsoft possibly will move this portal interface to "a better aligned, more aptly named location" later, according to a comment in the announcement by Michael McLaughlin, a Microsoft Tech Community contributor.
Support for Fast IDentity Online 2.0 (FIDO2) isn't there yet. It'll come to the preview stage "early in 2019," according to McLaughlin. FIDO2 is a Web authentication standard that aims to move away from a reliance on passwords for user authentications. It uses "portable private keys" during the authentication scheme, which supposedly thwarts any interlopers with password access.
According to McLaughlin, Microsoft doesn't have plans to support the Universal Second Factor (U2F) protocol of the FIDO standard, which enforces a secondary means of user authentication.
In addition to the hardware support, Microsoft also announced that Azure multifactor authentication now supports "up to five devices in any combination of hardware or software based OATH tokens" when used with the Microsoft Authenticator client application. The five-device support is now the default for all users and it can't be disabled, according to McLaughlin.
However, the multiple device support is only available to organizations using Azure AD multifactor authentication with "an Azure AD Premium P1 or P2 license," according to the announcement. The Azure Portal's MFA Server blade may tell licensees that they're lacking an Azure AD Premium license, McLaughlin noted, but it's currently a "bug" in the interface, he said.
To use the authentication service, organizations need to have OATH tokens from a vendor, such as DeepNet Security, Token2 or Yubico, Microsoft's announcement explained, although the OATH standard itself is vendor-independent. Typically, organizations would use Time-based One-Time Password (TOTP) tokens, which enable user authentications for a short period of time, typically set in 30-second intervals.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.