1

We are deploying O365 in my company (Teams, Sharepoint, Exchange online, Office suite). In order to connect outside our network (remote workers especially during this pandemic), we've implemented MFA with MS Authenticator and OTP with SMS.

Some users use their professional phones, others their personal ones for MFA, but some do not have professional phones AND don't want to use their personal ones for privacy. Giving them a hard token is an issue for us as it is difficult to manage for logistics and support.

We are thinking about soft tokens in the PC itself. Do you think it is secure enough? What is the risk? If there is a keylogger in the PC, even if the attacker is getting the password and the PIN for the soft token, how he can use it on another PC as the soft token was enrolled only in the first machine?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Will0093
  • 11
  • 2
  • 2
    There're also open source TOTP android apps [available](https://www.androidauthority.com/best-two-factor-authenticator-apps-904743/) if privacy is the only concern. – defalt Apr 05 '21 at 18:57
  • I congratulate you on your willingness to explore solutions that support your users that choose to use *Android* without *Google Play*. I'll also add that one such open-source password database with builds for all major o/s, [*KeepassXC*](https://keepassxc.org/), [supports TOTP](https://keepassxc.org/docs/#faq-security-totp), as does the open-source [*KeepassDX*](https://www.keepassdx.com/) for *Android*. – brynk Apr 05 '21 at 20:53
  • I work with universities and colleges and run into this problem constantly. I ended up creating a video to help ease concerns and it has worked very well. Where around 10% objected to using personal phones for work MFA, the number dropped to under 1%: https://www.youtube.com/watch?v=lEHhivPJQ5w – schroeder Apr 07 '21 at 07:38
  • Whenever asking "is it secure enough?" you need to say what you want to secure against. You say that you are concerned about keyloggers, but what about full remote control? If someone has access to the PC, then the soft token does not protect the account. But do you care about that? Is that a concern? – schroeder Apr 07 '21 at 07:43
  • @brynk I don't think that's the issue here. It certainly hasn't been in my experience. The concern from employees is simply "work is asking me to use my personal property!". The privacy issue is being private from work, not the app maker. Even using SMS is rejected on these grounds. So, asking them to use another TOTP app would not solve their perceived problem. In fact, when I have suggested using alternative TOTP apps, the responses back have been "but how do we know that this other app is not also collecting data?" – schroeder Apr 07 '21 at 07:46

0 Answers0