I'm on the hunt for FIDO2 USB tokens to use with Microsoft 365, particularly for users who either cannot or prefer not to use an authenticator app. I've noticed that the cheaper FIDO2 tokens allow for very simple PINs, like '1111' or '1234'. What are some options that ensure a higher standard of PIN complexity but don't require central management? Ideally, I'd love to buy these tokens in bulk and distribute them as needed.
4 Answers
Another choice to consider is using user certificates as a multi-factor authentication method within Microsoft 365. It might add a layer of complexity but can be effective.
Definitely check out Token2. They have a variety of FIDO2 tokens, and some of them might fit your criteria for stronger PIN enforcement without the need for centralized management.
Honestly, the issue of users not wanting to use authenticators could be more about training or preference than technical problems. Sometimes making the FIDO2 key the go-to option helps them adjust. Handing out the keys as a straightforward solution might just work if you present it well!
You might want to check out YubiKeys. They have a PIN complexity policy, but just a heads up: it looks like the firmware version of the YubiKeys you buy might affect whether or not PIN complexity is enforced. We got ours from Amazon, and they don’t seem to have that enforcement. It might be best to purchase directly from Yubico or a trusted distributor to ensure they meet your requirements.
That’s frustrating! I thought the YubiKey site was pretty clear on their policy, but this seems to be a common issue. You might want to reach out directly to Yubico or check their official store.
Yeah, I agree! Sometimes it's about how these tools are introduced to the team. If they see it as an easy way to access their accounts, they'll be more likely to adopt it.