FAQ: OATH/TOTP hardware tokens with Azure Active Directory

FAQ - FIDO2 Security Keys FAQ - Office365/ Azure AD (Microsoft Entra ID) MFA

Which model of hardware tokens can I use with Azure AD (Microsoft Entra ID) MFA?

We sell two types of hardware tokens: programmable and classic (non-programmable). To be able to benefit from classic tokens (they are relatively cheaper), you must have Azure AD (Microsoft Entra ID) Premium license P1 or P2. The enrollment is done by the global tenant administrator. If you are not sure about which Azure AD (Microsoft Entra ID) license your tenant has, have a look at this guide.

Will you send me the CSV file compatible with Azure MFA?

Yes, but only after you confirm the delivery. By requesting the seeds, you acknowledge the delivery and will not be able to request a refund or resending the tokens in case the delivery fails or products arrive damaged etc. The process of requesting the seeds is described here.

Can I reassign the token to a different user?

Yes. Once you remove the association of a token to a user, you can upload a new CSV with a new association (new username/UPN) and activate.

Can I assign the same token to multiple users?

Yes, it is currently possible. Azure MFA is not checking the uniqueness even within the same tenant. However, as this goes against the RFC recommendation, this may be restricted in the future.

I don’t have Azure AD (Microsoft Entra ID) Premium; can I still use hardware tokens for MFA?

Yes, but only programmable tokens. They act as drop-in replacement for mobile authenticator apps (such as Microsoft Authenticator). The enrollment is done on behalf of end users.

I have Azure AD (Microsoft Entra ID) Premium; can I use programmable tokens by importing the CSV file, or do I have to manually program each token?

Both classic and programmable TOTP tokens come with factory-set seeds. So, in case of programmable tokens, you don’t have to program them, you can request the CSV file of the factory-set seeds and import it directly. The procedure is exactly the same as with classic hardware tokens.

What is the benefit of using programmable tokens if we have Azure AD (Microsoft Entra ID) Premium?

While the programmable tokens are mainly used to avoid purchasing Azure AD (Microsoft Entra ID) Premium licenses, there are use cases even for customers having AD Premium, such as:

- With programmable tokens you set the seeds yourself, so you are sure this data is only available for you (our systems are quite secure,  but some organizations have strict policies on that)

- With programmable tokens you can use the same token for 2 systems, i.e. Google and Azure AD (Microsoft Entra ID) at the same time. So, for example, the token will be provisioned using NFC Burner app for Google account, and the same seed will be imported to Azure MFA - this will make the same token work for both systems (see an example here).

- It is a better investment protection: we expect our tokens to last up to 8 years (depending on the model and usage frequency), so if later you decide to use the hardware with another system, you can easily reprogram them. 

I don’t have Azure AD (Microsoft Entra ID) Premium; can the token be enrolled by the end users without the help from IT Staff?

With our NFC-programmable tokens  the main requirement is having an NFC-device to run the NFC burner app, however, we realize that main scenario of using hardware tokens is when users have no smartphones at all (otherwise they would have used a mobile authenticator for MFA).

In this context, a solution we can recommend is using one of our USB-programmable tokens that do not require any additional hardware to be provisioned (only a USB port is required).

Can I use FIDO2 keys for Azure MFA?

The primary purpose of FIDO2 keys is for Azure Passwordless, not Azure MFA - and these are two different concepts. Although some of our FIDO2 keys support TOTP protocol as such, the security keys are not standalone TOTP tokens:  TOTP functionality of our FIDO2 keys is limited and requires an additional device to run the companion app. The key in this case is only used as secure storage for the TOTP seeds. If you need a fully standalone TOTP token, it is recommended to use our programmable tokens instead.

Once I activate the hardware token for a user, does this affect the way the user logs in to his/her workstation?

No, logging in to a workstation does not change when MFA is enabled. There is currently no native method of enabling MFA for Windows login. To change the way users log in to Windows 10 machines, you can use FIDO2 keys, which can be used for Passwordless method if your machine is using Azure AD (Microsoft Entra ID) or Hybrid AD (and this method is different from MFA) or benefit from third-party solutions, such as UserLock or multiOTP.