Azure Authenticator (MFA) Desktop App
Due to limited capability to use the Microsoft Authenticator Mobile app on a mobile device, there is a requirement to get a desktop version of the app that has the same functionality.
We make use of MFA for all remote users who are connecting to our network from a non-managed device (i.e not a company laptop/desktop). These remote users would then be expected to use the Microsoft Authenticator app on a mobile device with the following Authentication options;
- Text Code to my authentication phone number
- Notify me through app
- Use verification code from app
As we deal with many organisations globally, we are informed for various countries these 3rd parties are either unable (prohibited by labour law or cost) or may not be willing to make use of their personal mobile device for the MFA app or to receive a token (via text or phone call).
For those who are unable, it is largely due to local labour councils that prohibit the use of personal devices for work purposes and if this is required the organisation will need to supply devices. We have also come across the issue with some markets whose users cannot afford a "smartphone" where the application cannot be installed or text cannot be received (due to cost constraints).
The other scenario is where a user is simply unwilling to make use of their personal device and will insist that a company mobile device is supplied.
For both scenarios, this quickly becomes cost prohibitive were we would need to consider buying and shipping smartphones to these users.
A desktop version of the Authenticator client would assist in resolving many of the issues listed above, at the very least a user is able to generate a code, on a laptop/desktop that we have already provided, with no further investment required.
After having investigated further there are some (rather limited) opensource applications released as a desktop replacement for the Authenticator App.
One such application is WinAuth, which appears to work well, however as this is opensource, most of the organisations (including our own) are not comfortable with the deployment of applications that do not have further support, thus a request for an "Official" Microsoft Authenticator Desktop App.
Ryan D. Walker commented
Well that would be good for someone who steals a laptop! Hey look, cached creds let me in, and whammy, I can approve my own VPN connection back to the office network.
I don't think this is a good idea, sorry. Get a FIDO2 key.
Kalen von Olnhausen commented
In this case you would simply need to allow Azure AD joined/Hybrid Joined or Intune managed as the second factor or trusted device. Authenticator software would not provide any additional benefit.
There are significant security risks to this idea. You are logging on to said device with single factor and that is all that protects that MFA. As a result, malware can access it and use it without the end user being aware. This was demonstrated during a Black Hat conference a few years ago. This use case has also been classified as a high risk by auditing companies such as Mandiant.
There is indeed a big need for this in Enterprises:
- Landlines numbers are not common anymore. People have flex places.
- Not all employees have a mobile device (smartphone) or want to use it for work.
- Companies do not want to invest in hardware oAuth devices like Yubikeys, cause they already purchased Azure MFA!
- Under certain conditionals the Desktop Authenticator app should be allowed for MFA requests.