58 votes9 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →
There is planned work to address this scenario. We don’t feel that backup codes provide a good security option as they’re often misplaced. Also, it’s hard to have users print them out and have them when they’re needed. Instead, we are looking at a time-limited passcode that could be generated either by the user (just in time when it’s needed) or by an admin (for example a helpdesk agent). The organization admin would have control over when a user could generate these codes. The code can be used for a limited time, then it will no longer be valid.
Note – for areas with limited cellphone connectivity (or roaming charges), the code generated in the authenticator app will allow MFA login. The time-limited passcode is meant to stand in if the user temporarily forgot/lost their phone.
Backup Codes are not secure. If you do not enforce users to keep them encrypted in the safe box they will simply print it and store in the wallet. Then when their device and wallet will be stolen, it's extremely easy to get access to the system. I personally will opt to Multi-Factor-Authentication scenario which means for me that they are able to use: code from the app, SMS code, push notification, backup email, app verification - rather than backup code. Using it in the enterprise for end-users simply decrease the level of security.
83 votes5 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →
We aren’t planning to add the ability to enable MFA per-user to the Account Administrator, but we do have planned a limited admin role that will be able to perform that function, along with other MFA related settings. If you’ve implemented MFA through Conditional Access policy instead of the per-user enablement, you can use the Conditional Access Policy admin to control who has to do MFA.
133 votes13 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →
Azure MFA is currently designing the experience for FIDO 2.0. This is the next iteration of the FIDO U2F standard that the link references.
Using Yubico with AAD would be great. Especially that they have the new version of the keys (even in blue/azure) colour, they new key passed FIPS certification and from Youbico perspective they going to support Azure. As it's possible to use Yubico for log-in to Windows machine... maybe using against AAD will be possible to.
We are hoping to support more datacenters in the future, especially in the Asia/Pacific region, but it is not currently planned for the short term.
838 votes175 comments · Azure Active Directory » Multi-factor Authentication · Flag idea as inappropriate… · Admin →
This feature is now on the roadmap. The MFA team is planning to adjust admin roles or create a new role that will allow delegation of MFA registration and credentials to an admin role.