I'm looking for some advice on using multi-factor authentication (MFA) in a unique situation. We operate in Microsoft 365 with MFA enabled, which generally works well. However, we have a scenario where we need access to a computer at a corrections facility that doesn't allow cell phones or laptops on the premises. As a result, we're limited to either USB-based solutions or potentially older methods like RSA tokens. It's important to note that this is for just three users, and I've had little luck getting responses from MFA service providers. We also have Okta available but the communication has been frustrating. Any thoughts or suggestions?
8 Answers
Have you looked into using YubiKey? It offers a combination of something you know (your password) and something you have (the YubiKey itself). Given the scenario, it's a solid option. You could also consider Windows Hello for Business, which ties the computer into the authentication process.
Another option is to exclude that specific device from conditional access, or simply invest in YubiKeys for your team.
If you're open to old-school methods, consider standard TOTP devices that store the key for code generation, similar to RSA tokens. Token2 has some nifty options for that.
Consider creating a special user account that only has access to what's absolutely necessary. This account could potentially be exempt from MFA altogether. Do they just need access to their email, or is there more to it?
They need access to a Citrix gateway as well, which complicates things a bit. Email would have been easier but it's not just that.
Have you thought about creating a policy to exempt this user from MFA based on the machine's IP address? I’ve heard of this being done before.
Definitely a +1 for YubiKey. Another alternative is the SafeNet OTP Display Card, which can be useful when you can’t use an authenticator app due to restrictions.
Using Hello for Business or getting a YubiKey could work well for your situation. It allows for a more secure login without needing mobile devices.
You can also use a landline phone to receive OTPs via voice call for 365 MFA, which could be a workaround for your situation.
Thanks for the YubiKey suggestion! I reached out to their sales team to see what options they can offer.