About three months ago Microsoft has announced the availability of OATH TOTP hardware tokens in Azure MFA. The feature is still in “public preview”, but we see many of our customers using the feature in production already now. As we are testing this for the last couple of months in our lab environment and, in many cases, we are also assisting our customers with the activation of the feature, we have some observations that we believe are worth sharing.
There are no exact specifications published by Microsoft about whether time drift will be detected and adjusted accordingly on the server side, but since they mentioned that the implementation is based on RFC 6238, this may indirectly mean the time drift is supported. Time skew support details are also not disclosed, but it was easier to find out by experimenting using our TOTP toolset; it turns out that Azure MFA allows OTP codes from within 900 seconds time range. With such a large skew allowance, time drift adjustments are not even necessary.
Surprisingly, Azure MFA allows assigning the same hardware token to multiple users. It allows not only duplicate base32 seeds, but also serial numbers and models even within the same tenant.
This is not a new observation, it was clearly mentioned that hardware token activation requires Azure AD P1 or P2 licenses. We had a few customers willing to benefit from introducing hardware tokens with their Office 365 subscriptions, but not ready to pay around 5-6EUR per user per month just for such a trivial feature.
Our recommendation for this case is to use one of our programmable hardware tokens. There is no additional license needed for that (as our programmable tokens are “seen” by the system as Authenticator apps) as MFA is available on all Office 365 subscriptions starting from Business Essentials.
Time drift and skew support
There are no exact specifications published by Microsoft about whether time drift will be detected and adjusted accordingly on the server side, but since they mentioned that the implementation is based on RFC 6238, this may indirectly mean the time drift is supported. Time skew support details are also not disclosed, but it was easier to find out by experimenting using our TOTP toolset; it turns out that Azure MFA allows OTP codes from within 900 seconds time range. With such a large skew allowance, time drift adjustments are not even necessary.
Hardware token “uniqueness”
Surprisingly, Azure MFA allows assigning the same hardware token to multiple users. It allows not only duplicate base32 seeds, but also serial numbers and models even within the same tenant.
Licensing aspects
This is not a new observation, it was clearly mentioned that hardware token activation requires Azure AD P1 or P2 licenses. We had a few customers willing to benefit from introducing hardware tokens with their Office 365 subscriptions, but not ready to pay around 5-6EUR per user per month just for such a trivial feature.
Our recommendation for this case is to use one of our programmable hardware tokens. There is no additional license needed for that (as our programmable tokens are “seen” by the system as Authenticator apps) as MFA is available on all Office 365 subscriptions starting from Business Essentials.