The Azure AD team announced the support of OATH hardware tokens for Azure MFA at Ignite this past year. Up until this week, I hadn’t had a chance to experience this functionality for myself. I decided to try this out on my own and gain the experience to continue creating breadth in my knowledge of Azure AD.

Currently there are 3 vendors listed as supported token providers. The list includes Token2, Yubico, and DeepNet Security. Based on positive past experiences with Yubikeys, I opted to go with Yubico for this test. This may have turned out to be a mistake, but more on that later.

The Yubikey 5 arrived a couple of days later and I set out to configure it. I read through the documentation and realized I was going to have to generate a base32 OATH secret for use with this key. Now, I did this manually given that I had one key to configure. If you are doing this for a large user base, you should work with your token vendor about obtaining a pre-generated token file containing all of your purchased tokens and the corresponding data. Generating the secrets on your own for hundreds or thousands of users would be tedious, at best. If you are activating one or two keys for a test, I would recommend downloading and using OATH Toolkit for Linux. There are a number of websites that can also generate a secret in your browser, but whether or not you trust that particular method is up to you.

Once you have generated the secret and gathered your token serial number, you will need to fill out a CSV file similar to below. Ensure you preserve the header row.https://www.nongnu.org/oath-toolkit/download.html

upn,serial number,secret key,timeinterval,manufacturer,model user@yourdomain.com,1234567,1234567890abcdef1234567890abcdef,30,Yubico,HardwareKey

Additionally, you will need to program your Yubikey with the proper information. Download the Yubikey CLI programming tool and then run the following command with the proper information substituted (Ensure your Yubikey is plugged into your computer and recognized by the application)

PS C:\Program Files\Yubico\YubiKey Manager> .\ykman.exe oath add user@yourdomain.com

Now you can head on over to the Azure AD portal and locate the MFA settings. It isn’t hard to find, as it is pretty clearly labeled MFA

and then in the next menu, locate OATH Tokens

On this screen, upload the CSV and wait for it to process. It will indicate whether or not the upload was successful. Refresh the page in about 15 seconds and you should see your token(s) populated. Click ‘Active’ next to any tokens you want to activate for the corresponding user.

I mentioned earlier that using the Yubikey might have been a mistake. The reason for this is the Azure MFA implementation of OATH utilizes TOTP, which is time based. Yubikeys have no concept of time, and therefore to properly generate a response require a time source. In comes the Yubico Authenticator mobile app. This causes a weird scenario in which the user actually needs their phone, the Yubikey and their password. This might prove too cumbersome in end user testing, so be sure to consider this when selecting token vendor.

If you user account is already enrolled in MFA, you can attempt to login and choose the authentication method of enter a code. Then, open your Yubico Authenticator app and tap your Yubikey on the NFC reception point of your phone, which will generate a OTP in the app. Type the code into the authentication page to finalize your login.

Azure MFA users can now have up to 5 separate 2nd factor devices, and you may want to change your settings to utilize the hardware token as a backup, or as the primary method. You can accomplish this by logging into https://myapps.microsoft.com and clicking on your username, and then clicking on ‘Additional Security Verification’ and editing your settings as seen below

Takeaways

All in all, the hardware token setup was pretty easy. There was a little more complexity than I would have liked but sometimes that is just reality with the initial release of a feature. In any case, I am extremely glad to see this functionality arrive in Azure AD. Here are some takeaways that should give you food for thought if you pursue this solution in your organization: