Azure MFA using hardware tokens

MFA (Multi factor authentication)

Word from the CEO - Multi-Factor Authentication | Integritechs, LLC

What is it?

Something you know – password

Something you have – phone or token

Something you are – biometrics (fingerprint, face scan)


MFA is all the rage these days, and so it should be. It allows users to add multiple layers of security to protect their identity, their assets and their companies data and assets.

So What?

Typical requirements for MFA usually require the user to have a mobile phone. This then enables calls, texts and applications such as the Microsoft Authenticator app to act as possible verification options during the MFA process.

But what if the user doesn’t have a mobile phone? Or has one but doesn’t want to use their personal device for work?

Enter the alternative option…Hardware Tokens!

Now What?

Azure AD supports the use of OATH-TOTP SHA-1 tokens that refresh codes every 30 or 60 seconds. Customers can purchase these tokens from the vendor of their choice.

We have looked at one vendor in particular called Token2

They offer tokens that work with Azure AD MFA, they can be purchased as single tokens or as volume orders, the order process was simple and delivery (even during Covid-19) was relatively quick.

They provided an encrypted/zipped file that contained all the necessary information in .csv format (Azure AD .csv requirements) to upload to Azure AD MFA. Once uploaded it was equally as easy to activate the token for the assigned user.

NOTE: Before you upload the file you will need to edit it in notepad and enter the UPN of the user that will use the token. Do not edit in Excel else it will break functionality of the file once uploaded.

The token experience – My MFA Arsenal

I started by uploading the .csv file to Azure AD. I wanted to be thorough in my review of these tokens so I tested a few different models.
Once a token was activated it became available as an alternate method of authentication in my security settings of my user account
To use the new token for authentication I needed to change the Default sign-in method.

In conclusion…

Tokens provide an alternative to otherwise requiring mobile phones for MFA verification.

Token2 in particular made the process easy to order, receive, upload information and configure the device for use.

Their support process (something that is very, very important to me) was also quick (within an hour or less of submitting an email) and I was happily surprised when one of their support personnel even reached out to me via an MS Teams chat when I had questions.