Azure MFA with no phones
Yesterday I wrote a tweet two a few MS folks. Some of which graciously follow me and I am extremely humbled to have a twitter network of extremely knowledgeable leaders that are providing and shaping some incredible direction at Microsoft. The tweet below was looking for some thoughts.

TL;DR…
So a few housing cleaning items before I start. All information shared in this post if from my M365 development account. It goes through a scenario where you have a front line worker that needs to register for MFA but does not have an office or cell phone. I am pointing out a few tweets and hopefully this post will generate some ideas for people to think through when deploying MFA in your org.
Allowing people to do landline based calls on a home phone:

A good rule prior to implementing MFA is having control and more importantly implicit trust from where they are registering MFA from and the devices they are using to do the registration. Front line workers may not be working from home. So a landline verification probably will not work out so well. More importantly if anyone is allowing end users to go through the registration process on personal devices you would be better served by enabling the combined security registration feature and writing out a conditional access policy for combined security information to be done on devices that match MFA trusted IP ranges or allowing registration to occur on devices that meet certain device requirements such as hybrid azure ad joined devices. The articles on how to do this are below.
PreReq1:
PreReq2:
These steps will reduce risk of social engineering based attacks if someone calls into a help desk and asks for an MFA reset so they can register a device off prim. This prevents people from doing just that when you have conditional access policies in place to register with on prim/trusted devices only.
What about longer passwords?

I could do longer passwords. Default Microsoft Guidance actually recommends 14 character passwords with no expiration. (Controversial but I think this strategy is necessary) I would love to see everyone get to the land of creating passphrases as passwords. These are good suggestions but unfortunately not enabling MFA is not an option for me.
So enter the conundrum with Yubikeys:

Ann has a good suggestion here and its something I definitely had thought of but there are a few hurdles around this. I use Yubikey 5’s with PIV functionality. Smart card and hybrid FIDO2 use with Azure is pretty awesome.
In order to use yubikeys in a Azure AD environment you need to enable a few things.
PreReq1: Turn on Combined Registration. I suggest turning it on for all of your end users. It simplifies security registration and is a huge easy win.
PreReq 2: Enabled Passwordless security key sign in
The Devil in the details in the security sign in preview:
This link below will take you directly to user registration and management of Fido2 keys.
So here is the yubikey issue. I’ve highlighted the important part. Unfortunately I can’t add a yubikey without registering a MFA method first (Phone or app)

Just to illustrate things are configured correctly in the authentication method policy.

You get only this upon first registration:

Unfortunately you can’t add a FIDO2 key without doing an authenticator app or phone as shown above.
Microsoft if you read this. Please change this and allow FIDO2 to be used as a Initial MFA registration method.
Some work around methods and warnings:
I will come out and say this. This is not an ideal workaround. I would never promote keeping MFA access and the MFA token you register on the same PC. MFA tokens should really be decentralized and stored on a separate device.
Windows Marketplace: SAP Authenticator

This is an authenticator app that I am ok with. Its a moderately well known and is supported for enterprise use. When you start this you will want to choose “I want to use a different authenticator app”

Choose Next

Choose can’t scan this image

Next Copy the secret key.

Put the secret key into the SAP authenticator app. Hit the checkmark box when done.

Enter the 6 digit authentication code from the authenticator app.

At this point you should be done and registered.

So now onto hardcore mode
This is a geeks way to do 2FA with azure in this scenario. It requires you to install Windows Subsystem Linux. I went to the marketplace and installed the ubuntu image. Its at the 20.04 LTS release now. For full reference I used the following URL for advice:
With Ubuntu some things in this article did not work so here is the example workflow I used to test.
To Install:
sudo apt install oathtool
Sample Command:
oathtool -b — totp “privatekey”
Output: (This is time based so your output will be different)
640565
Generate GPG Key: (Process Outlined Below)

Create Shell Script: Replace the email address and full public key with your own. Don’t forget to “chmod +x” your shell script.
encrypt.key.sh (Sample Below)
#!/bin/bash
# Purpose: Encrypt the totp secret stored in $dir/$service/.key file
# Path to gpg binary
_gpg=”/usr/bin/gpg”
## run: gpg — list-secret-keys — keyid-format LONG to get uid and kid ##
# GnuPG user id
uid=”email address”
# GnuPG key id
kid=”Full Public Key”
# Directory that stores encrypted key for each service
dir=”$HOME/2fa”
# Now build CLI args
s=”$1"
k=”${dir}/${s}/.key”
kg=”${k}.gpg”
# failsafe stuff
[ “$1” == “” ] && { echo “Usage: $0 service”; exit 1; }
[ ! -f “$k” ] && { echo “$0 — Error: $k file not found.”; exit 2; }
[ -f “$kg” ] && { echo “$0 — Error: Encrypted file \”$kg\” exists.”; exit 3; }
# Encrypt your service .key file
$_gpg -u “${kid}” -r “${uid}” — encrypt “$k” && rm -i “$k”
Next make decrypt.key.sh
#!/bin/bash
# Purpose: Display 2FA code on screen
# Path to gpg2 binary
_gpg=”/usr/bin/gpg”
_oathtool=”/usr/bin/oathtool”
## run: gpg — list-secret-keys — keyid-format LONG to get uid and kid ##
# GnuPG user id
uid=”email address”
# GnuPG key id
kid=”Full Public Key”
# Directory
dir=”$HOME/2fa”
# Build CLI arg
s=”$1"
k=”${dir}/${s}/.key”
kg=”${k}.gpg”
# failsafe stuff
[ “$1” == “” ] && { echo “Usage: $0 service”; exit 1; }
[ ! -f “$kg” ] && { echo “Error: Encrypted file \”$kg\” not found.”; exit 2; }
# Get totp secret for given service
totp=$($_gpg — quiet -u “${kid}” -r “${uid}” — decrypt “$kg”)
# Generate 2FA totp code and display on screen
echo “Your code for $s is …”
code=$($_oathtool -b — totp “$totp”)
## Copy to clipboard too ##
## if xclip command found on Linux system ##
type -a xclip &>/dev/null
[ $? -eq 0 ] && { echo $code | xclip -sel clip; echo “*** Code copied to clipboard too ***”; }
echo “$code”
# Make sure we don’t have .key file in plain text format ever #
[ -f “$k” ] && echo “Warning — Plain text key file \”$k\” found.”
So during the MFA process when you get to the point where you are issued a secret key:

Copy the key and issue the following command in ubuntu
oathtool — base32 — totp “secret key here”

Paste the key that is generated into the area below and click on next.

At this point you should be finished.
Finally we need to protect this secret key with our pgp key we created earlier. Below is how to create two directories:
2fa
msauthenticator
Along with the directories we will create a .key file and insert our secret key into it by doing:
echo -n “your secret key here” > .key
The entire process is in the screenshot below.

Now that we got the key created we will need to protect it using our PGP key.
Navigate to the root of your home directory.
Issue the following command:
./encrypt.key.sh msauthenticator

Select yes to remove the regular file. It’s unencrypted and not protected.
To get an authentication code run: ./decrypt.key.sh msauthenticator

You should have a code for 2FA with your password.