Hardware Tokens for Azure MFA

There are currently two ways to implement an Azure hardware token for Azure Multi-Factor Authentication:

  • With classic OATH tokens for Azure MFA with hard-coded secret keys, such as Protectimus Two. To make use of one of these you’ll need Azure AD Premium P1 or P2 license.
  • With a programmable hardware token for Azure MFA Protectimus Slim NFC or Protectimus Flex which is a replacement for an authentication app from Microsoft. This Azure cloud MFA hardware token does not require a premium subscription account.

In this article, we will describe how to set up both types of hardware tokens for Azure token-based authentication. All three devices can be bought here.

Classic OATH hardware tokens for Azure MFA – how to set up

Currently, Azure AD supports tokens with passwords not longer than 128 characters and password life-span of 30 and 60 seconds. Protectimus Two hardware OTP tokens fit these requirements.

Once you choose and receive the Azure MFA OATH token you prefer you need to register your token with Azure. Below is the step-by-step guide on this simple process:

Step 1. Prepare a CSV file that includes your UPN (user principal name), the serial number of the hardware token Azure MFA, the seed (secret key), time interval, make and model of the Azure AD MFA hardware token. Make sure to include a header row, the result should look something like this:

How to add OATH tokens to Azure MFA

Step 2. Once the CSV file is created and properly formatted it has to be imported. Go to Azure Portal and browse to Azure Active Directory, then to Security and to MFA. On the MFA page choose OATH tokens and click the “Upload” button. Upload your CSV file; the upload process might take a few minutes.

Azure two-factor authentication hardware tokens setup

Step 3. Click the “Refresh” button. If the CSV file was uploaded successfully you will see a list of your Azure AD hardware tokens, if the file had an error you will be notified on the same page:

File uploaded successfully:

Azure Multi Factor authentication Oath hardware tokens setup

File uploaded with errors:

Azure 2-factor authentication OATH hardware tokens

Step 4. Now you need to activate your Azure multi-factor authentication hardware token. If you have multiple tokens, you should activate them one by one. Click the “Activate” button at the lattermost column on the right and enter the password generated by the corresponding Azure MFA token. After that, click the “Verify” button.

Azure OATH tokens setup

Step 5. Once the MFA server accepts your one-time password you will get a message confirming the activation of the Microsoft Azure token you selected from the list and there should appear a check mark in the corresponding “Activated” column. Now your token is successfully activated and can be used to log in.

OATH tokens for Azure MFA setup - activated

Step 6. 2FA settings in the user account.

OATH tokens will be automatically set as the main 2FA method only if no other 2-factor authentication method is registered for a user yet.

OATH tokens as the only 2FA method

When logging in you’ll be asked to enter the code from your authentication app. Just enter the OTP from the hardware token, it will work.

OTP entry field

If any other 2FA method (for example, SMS-authentication) is already activated, it remains the main authentication method until you change 2FA settings in the user account. To activate OATH tokens as the main authentication method:

  • log in to the user account using your old 2FA method
  • go to Additional security verification settings
  • choose “Use verification code from app or token ” as the default verification option

How to set OATH token as the default 2FA method

Please note that you can use several two-factor authentication methods at once. For example, you can add a 2-factor authentication app as an alternative 2FA method.

How to set 2 two-factor authenticatication methods in Azure - 2FA app and OATH token

Just make sure to enroll in-app token without notifications.

How to configure 2FA app withoun notifications

In this case, both one-time passwords from hardware token and 2FA app will work when you enter any of them in this field:

OTP entry field

You can even use all three 2FA methods together (OATH token, 2FA app, and SMS authentication.

How to set 3 two-factor authenticatication methods in Azure - SMS authentication, 2FA app and OATH token

Programmable hardware tokens for Azure MFA

As has already been mentioned above – to use a classic Microsoft Azure MFA hardware token you need to have a premium subscription. But we know that not everyone is ready to pay 6 euros per month per one user. If you are not ready to pay too, programmable hardware tokens Protectimus Slim NFC or Protectimus Flex is the way to go for you. These tokens are recognized as authentication apps by the Azure MFA system, so you do not need a premium license to use them.

Adding Protectimus Slim NFC or Protectimus Flex as a recognized second factor of authentication to your Azure MFA is pretty straightforward. All you need to do is log into the MFA setup page, configure the authentication to recognize your Azure authentication token and program the device itself to be used for Azure MFA. The whole process takes mere minutes and is described in detail here.

Common questions

1. What about time-drift support in Azure MFA?

Microsoft does not provide any exact info on time drift with Azure MFA, but the implementation has been said to be based on RFC 6238 which suggests that the time drift is indeed supported. Azure MFA allows one-time passwords within a time range of 900 seconds, this means time drift support is not really necessary. But if you’d like to keep time drift issue under control, use Protectimus Slim NFC or Protectimus Flex tokens, which have a time synchronization feature now. The time is resynchronized when a secret key is flashed to the token.

2. Why hardware token is better for Azure MFA than 2FA apps, SMS, and phone calls?

A hardware token is by far the most bulletproof protection you can get for your data stored on a cloud. Such a device generates secure passwords without and needs no network connection whatsoever. With a hardware token you have an impenetrable wall between your data and anyone who tries to steal it. There’s simply no way for hackers to infect the device or intercept the generated codes. And if a hardware token is stolen or lost you most probably will notice it immediately, whereas with an infected app or intercepted SMS you might not know any damage is done before it’s too late.

3. Can I order hardware token with my company logo?

If you want Protectimus Slim NFC you can have the device branded even if your order is as small as one token. With Protectimus TWO custom branding is offered for orders over 1000 devices.

4. Does Protectimus Slim NFC support multiple secret keys (seeds)?

No, this token allows for one seed at a time. But Protectimus Slim NFC can be programmed to work for a different resource once you stop using the one you initially programmed it for.

Read more:

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Author: Anna

If you have any questions about two-factor authentication and Protectimus products, ask Anna, and you will get an expert answer. She knows everything about one-time passwords, OTP tokens, 2FA applications, OATH algorithms, how two-factor authentication works, and what it protects against. Anna will explain the difference between TOTP, HOTP, and OCRA, help you choose a token for Azure MFA, and tell you how to set up two-factor authentication for Windows or Active Directory. Over the years with Protectimus, Anna has become an expert in cybersecurity and knows all about the Protectimus 2FA solution, so she will advise on any issue. Please, ask your questions in the comments.

Share This Post On

1 Comment

  1. The Upload is greyed out for me. Do I have to be Global Admin or can a helpdesk role work?

    Post a Reply

Submit a Comment

Your email address will not be published.

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from Protectimus blog.

You have successfully subscribed!

Share This