I'm exploring options for USB FIDO2 tokens that work well with Microsoft 365, particularly for users who aren't comfortable using authenticator apps. The cheaper FIDO2 tokens seem to allow weak PINs like 1111 or 1234, which isn't secure enough for us. I'm looking for recommendations on tokens that enforce stricter PIN complexity without requiring central management. Ideally, we'd like to be able to purchase them in bulk and distribute them as needed. Any suggestions?
4 Answers
It's an interesting question—honestly, whether it's a tech or HR issue might depend on the team culture. But if you're handing out FIDO2 keys, might be good to pair it with a quick training session about security to get everyone on board!
Have you considered using user certificates for MFA in M365? It could be a good alternative to physical tokens and might meet your security needs without the hassle of managing lots of devices.
Definitely take a look at Token2 tokens! They might have the features you're looking for and are worth checking out.
Check out the YubiKeys! They have a PIN complexity policy that you might find useful. Just make sure to look into the specific firmware version, as sometimes the models available on sites like Amazon don’t always have the enforced PIN complexity you’re looking for. It’s a bit of a mixed bag, so double-check the source!
Yeah, we noticed the ones we got were running 5.7.1 and didn’t enforce the complexity. Do these need to be purchased directly from Yubico to get the better features?
True! A little training might help people understand why the keys are important.