1

We're in the process of deploying TOTP tokens to all staff across the organisation via Azure AD. We strongly encourage all staff to use Microsoft Authenticator as the default, and those with company issued mobile devices already have it pushed out via MDM. We also encourage all others to install Microsoft Authenticator (or similar) on their personal mobile devices. We're almost done with the rollout, but there are already people coming to us saying they've lost their token, or regularly forget it at home. Currently we're temporarily disabling MFA, or issuing a new token.

As the IT department, we exist to serve the needs of the organisation and we don't have the power to stop people from working because they don't have their token. Most of our users care for vulnerable people in care home settings, so we can't just send them home. They NEED access to our systems if they're at work, full stop.

We've suffered a couple phishing attacks recently that likely would have been prevented by MFA, which accelerated our rollout. The IT team all agree that we should never compromise our security standards for any one user's ignorance, incompetence, or forgetfulness... but we have to balance this with our obligations to the vulnerable people for whom our staff provide care.

Any tips or advice on how we could do this better? How do your organisations tackle these issues?

EDIT: I forgot to mention that IT are based at head office, and 80% of our staff are based in remote sites, many 1 hour or more by car away. We can't simply give users a new token on demand unless they work at head office.

ubercam
  • 111
  • 3
  • This question currently includes multiple questions in one. It should focus on one problem only. – Romeo Ninov Sep 21 '22 at 12:23
  • If they can be issued a new token, I don't see why they would be sent home. Unless IT doesn't work all shifts and cannot issue a token right away, or the process for issuing a token is dysfunctional. Either way, it is not uncommon for temporary exceptions in organizations where security is not the highest priority, although in my experience it seems more common for physical security keys. – Greg Askew Sep 21 '22 at 13:27
  • Thanks Greg, I forgot to mention, these staff are all working in remote locations relative to HQ where IT are based. We can't just issue a new token at the drop of a hat. – ubercam Sep 21 '22 at 14:19

2 Answers2

1

This is why I use TOTP software that allows backups. Personally, use Aegis (https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis) because of that option. It has an option to export a backup and move the backup to another phone if the device is lost or destroyed.

Otherwise, you are limited the end service allowing single-use onetime codes.

hydrian
  • 47
  • 5
0

Generally, the approach to deal with cases when users are loosing or forgetting their physical tokens, is to implement more than one authetication method side-by-side.
For example:

  • implement "hard" tokens together with "soft" tokens. If users don't have a "hard" token with them, they use "soft" token instead
  • have users enroll to other authentication methods (e.g. SMS)

It's hard to be more specific, because exact technical implementations vary and can be very complex depending on current environment and requirements. But the idea is for users to have some alternative way to authenticate

J-M
  • 1,930
  • 1
  • 11
  • 17