This guide is for tenants without Azure AD Premium licenses
refer to this page if you have Azure AD Premium
Token2 programmable tokens are a "drop-in" replacement of mobile applications such as Google Authenticator or Token2 Mobile OTP. If you are using Office 365 with Azure MFA protection enabled, you can use our programmable tokens as an alternative to mobile application method by following the instructions below. Please note that this requires no administrative priveledges and any user can benefit from this method. The only prerequisite is an NFC-enabled device running one of our apps.
Navigate to MFA setup page and make sure you have Authenticator app setting enabled.
Click on the "Configure" button. A QR code will be shown on the pop-up page. Click on "Configure app without notifications" link in order to switch from the default proprietary QR code format (phonefactor) to standards-based TOTP profile.
Keep this window open and proceed to Step 3 on your mobile device.
Launch Token2 Burner App on your device. Click on Scan QR button and scan the QR code shown on the configuration page as described in the previous step or enter the seed manually or copy&paste from the screen. Then, push the button on the token and hold it close to the NFC antenna of your device . Click on "burn seed" button. The app should show "burn seed process succeeded" message if the process is successfully completed.
After the burn process is completed, click Next and proceed with OTP verification. To verify the OTP, click on "Verify Now" button, and on the next step, enter the OTP code displayed on your token device.
Complete the process by clicking on "Verify".
Q. Do I need tenant admin rights in order to use hardware tokens with cloud-hosted Azure MFA?
A. Not for cloud Azure MFA. Token2 programmable tokens fully emulate mobile apps, so it can be enabled (and disabled) by end users themselves.
Q. Can the miniOTP-1 token be reused for another user (i.e. if the previous owner left the company)?
A. Yes. the miniOTP-1 tokens are reprogrammable for an unlimited number of times. So the steps described above can be repeated for any user using any miniOTP-1 device (even previously owned).
Q. Why does the burner app crash when I scan the QR code?
A. The QR code shown by default on this page is in Microsoft's proprietary format (phonefactor protocol) and is not compatible with the QR reader component of our app. Please make sure you switch to "Configure app without notifications" mode before scanning the QR code.
Q. Can I use both hardware and software token simultaneously?
A. Yes, as long as "Configure app without notifications" option is maintained. When you see the QR code after clicking "Configure app without notifications" you can scan it using a mobile app (such as Google Authenticator or Token2 Mobile OTP) before continuing with burning the seed on the programmable token.
Q. Can other types of hardware tokens (for example c200) be used with Azure MFA?
A. Onprem hosted MFA server (Azure MFA Server) supports any TOTP tokens, however, cloud Azure MFA is currently in public preview. Refer to this blog post for more details. Worth mentioning that the same tokens can be easily reused even after this feature becomes available.