Introduction
In the past few months, I was involved in several Azure Identity & Access Security projects. All of them had something in common, rolling out multifactor authentication. 90% of the time, I instructed the end-users to use their private mobile phones and install the Microsoft Authenticator app for the MFA requests. But in some cases, I had some concerning voices among those users. Comments such as, “I won’t install the Microsoft Authenticator app on my private phone. I will, but only on one condition, if I get a compensation by the company.”
These concerns led to questions about the technical and legal situations from the customers. As a result, I had to quickly find an alternative solution to these challenges. I discovered the hardware tokens from Token2. With this solution the users are not forced to install the Microsoft Authenticator app and the accounts still can be secured with MFA.
In the meantime, I did some digging about the legal situation in Switzerland related to this topic. So in the following blog post, I will discuss not only the technical aspects of hardware tokens but also the legal context to help companies adjust their policies for such scenarios.
Legal situation
Generally speaking, employers have no right to force you into the installation of an app on a private mobile phone. However, the situation arises: To secure the access to company resources with MFA, you require a mobile phone to install the Microsoft Authenticator app. But you don’t have a company phone, only a private one. If nothing is regulated by an internal policy, you, as an employee, can calmly refuse to install the app. Theoretically speaking, it violates your privacy. But ask yourself if it’s really necessary to make a fuss about that app…
From an employer’s perspective, it’s important to regulate this in your policies, if there are concerns among your employee. If you require your employees to use their personal mobile phones for work purposes, you must provide compensation. This could be in the form of a small monthly payment or providing a company phone (Art. 327a Swiss Code of Obligations). It’s crucial to ensure that these policies are clear, fair, and respect the privacy rights of your employees, but also of the company itself. It is wise to review the policy with a lawyer.
Why hardware tokens and why Token2?
You definitely will ask why I chose hardware tokens instead of FIDO keys?
Here is my answer:
Hardware tokens are cheaper and offer a simpler user experience than FIDO keys. They don’t require a USB port or NFC to function, and can generate one-time passwords without an internet connection. However, FIDO keys provide higher security and are less prone to phishing attacks, so the choice between the two should depend on the organization’s specific needs and capabilities. In my projects, the cost and usability aspects were always the customers selling points for the hardware tokens.
Why should I choose Token2 tokens?
Here is my answer:
“Token2 is a cybersecurity company specialized in the area of multifactor authentication. Founded by a team of researchers and graduates from the University of Geneva with years of experience in the field of strong security and multifactor authentication, Token2 has invented, designed and developed various hardware and software solutions for user-friendly and secure authentication. Token2 is headquartered in Geneva, Switzerland” (Token2, 02.2024)
Technical
Prerequisites for Token2
- Entra ID Premium P1 or P2 license for classic tokens.
- Entra ID Free/Basic license for programmable tokens or FIDO2 keys.
- “Microsoft Entra ID supports the use of OATH-TOTP SHA-1 tokens that refresh codes every 30 or 60 seconds. Customers can purchase these tokens from the vendor of their choice. Hardware OATH tokens are available for users with a Microsoft Entra ID P1 or P2 license.” (Microsoft, 2024)
Main difference between classic tokens and programmable tokens
The classic token can only be used with an Entra ID P1 or P2 license and setup by the IT department. Whereas, programmable tokens can be set up by the end-user and used with every Entra ID license. With programmable tokens the shared secret key hashes (seeds) can be set by yourself, what makes the data only available for your organization. Furthermore, you can configure more than one system on the programmable tokens. It is an alternative for the Microsoft Authenticator app, for example. Classic tokens are a bit cheaper compared to programmable tokens and the seeds are delivered by Token2.
Description of the token
Power button: To power on the display
Battery symbol: For battery capacity
Time bars: Shows the time how long the code is still valid
TOTP code: Code itself
Configure token for MFA via Entra ID
In this scenario, I’m using a programmable token with Entra ID P2 licenses. Follow these steps to configure the Token2 tokens for a scenario like this:
- Purchase tokens via https://www.token2.com/
- Create an account on Token2
- Request shared secret key hashes (seeds)
- After purchasing the tokens, you have to request the secret key to import it to Entra ID. To do so, you can follow the steps in this manual: Requesting factory-set seeds for Token2 hardware tokens. Or you can create the seeds for yourself, if you have programmable tokens. Generate my own seeds and Azure CSV file for programmable tokens
- After receiving the seeds, you have to create a csv-file for the import to Entra ID.
- The CSV has to be like:
- At this point you have to associate the tokens to a user. You have to know by whom the token will be used.
- The CSV has to be like:
- Import the CSV-file under Entra ID -> Security -> Multifactor authentication -> OATH tokens (Preview) -> Upload.
- After uploading the CSV, activate the tokens. To do so, click onto the activate button and type in the currently displayed code on the token itself.
- In the end, you should see the configured token under the authentications methods of the user.
Sources: Authentication methods in Microsoft Entra ID – OATH tokens, Token2