About two weeks ago, I wrote a blogpost about using OATH tokens with Azure MFA. This is a great feature, as it enables workers without a corporate phone to use MFA. However, this does require an Azure AD premium license. What if you only have Office 365 E3 (for example), where the use of MFA for Office 365 is free, but you still want to provide your users with a hardware token device?
Token2 NFC Programmable tokens
Token2 has a solution: a hardware token that you can program via NFC, so you can burn the seed you retrieve from your MFA-provider. As a reaction on my previous blogpost, Token2 was kind enough to send me one of these programmable tokens to give it a try.
Disclaimer: I got the hardware from Token2. My review however, is purely based on my own expierences and not ‘sponsored’ in any way.
Hardware choices
There are several programmable tokens you can get, in both a creditcard and a keyfob format. To burn the seed to the token, you’ll need an NFC app on your Android phone (due to restriction on the operating system iOS is not supported), or a Windows app combined with a NFC reader plugged in to your USB-port (or of course an NFC-chip built in to your computer).
For my tests, I used the Token2 Mini-OTP3 card, a small card (64x34 mm) wich you can easily hang from your keychain or store in your wallet.
Burning the token
The process of burning the token is actually quite easy. Once you’ve downloaded the software, you can simply unpack and run it. No need to install. To get the seed to burn to the chip, visit the MFA settings page, using the account you want to provide with MFA. From here, click the ‘set up authenticator app’ link to get the QR-code for your token.
Note that the first QR-code you get is for setting up a mobile app. You’ll need to click the ‘configure app without notifications’ link to get the correct code.
When using a mobile NFC app on Android to set up your token, you can scan the QR-code. When using the Windows app, you’ll need to copy the ‘secret key’ from this screen and paste it in the ‘seed’ field in the app.
Because the seed from the MFA Settings page is only 16 characters, additional A characters will be added to the seed.
Once the seed is available in the app, turn on your token and place it on the NFC-reader. You’ll see a quick flash of the green led on the NFC-reader and the serial number of the token will be displayed in the app to verify the card can be read. Click the ‘burn seed’ button and wait for the burn to complete, which is nearly instant. You’ll see the ‘succesfull operation’ state in the app.
That’s it, you’re done! Go back to the MFA Settings page in your browser to complete the setup from there. You’ll need to enter the code displayed on the token to make sure it is indeed correct.
Using the token as an Azure OATH token
In the app, you have the option to create a random seed and burn this to the token. Combined, you can tick the ‘save as a CSV-file’ checkbox, which will save the details of the burned token to a CSV-file in a format ready for Azure AD. You can simply import the CSV file as described in my Previous blog post and use it the same way as you would with a ‘regular’ OATH token.
Reusing the token
If you want to reuse the token, for example if a user leaves the company and you want to move your token to a different user, you can simply ‘reburn’ the token with a new seed. This wipes the original seed and replaces it with a new one.
Wrap-up
The programmable tokens are a great way to supply end-users without a corporate phone with the possibility to do MFA on Office 365, without the need of an Azure AD Premium license. As you can also use these tokens to do OATH on Azure MFA when burning a random seed, it’s best of both worlds. If you are looking for hardware tokens to use with Azure / Office 365, I would suggest to buy the programmable ones. It provides with you the best flexibility.
