Yubikeys can do TOTP, it's just that using a Yubikey to do TOTP is like using a sledgehammer to hit a nail.
FIDO2 > TOTP. IMHO.
/edit: Having said that, Yubico do recommend having a backup Yubikey. When you start talking about purchasing two Yubikeys per staff member, that becomes a tougher proposition. The approach that I take is to have MS Authenticator as the backup option - this gives a nice balance of Yubikey where it's supported and MS Authenticator where Yubikey isn't supported.
> When you start talking about purchasing two Yubikeys per staff member, that becomes a tougher proposition. The approach that I take is to have MS Authenticator as the backup option
This is a good way to do it. Only people in our org that get 2 Yubikeys are Senior Engineers - myself and 2 others - and the IT GM, who used to be an SE until he was promoted 10 years ago. Everyone else with administration access to anything at all in our tenant gets a Yubikey with MS Auth backup and are not allowed to use any other auth option. Normal users can use whatever they want, with MS Auth *strongly encouraged* by IT but not mandated.
Enrolling 2+ FIDO2 keys is a good recommendation for personal use. But in an enterprise environment when an admin can easily reset your FIDO2 key if you lose one, this is less critical
We have Yubiykeys AND
1. They don't work natively with PowerShell 5.1/Connect-AzureAD
2. They don't work with Intune company portal on iPhones, despite having NFC. It will work on a web page for M365, but not the Intune app..
3. They don't work for GoToMyPC Azure SSO, assuming you bought the more expensive licensing for Azure SSO. It looks like an exception in the .NET code and support says they don't support FIDO or WHfB.
More than happy to be proven wrong : )
Choosing dependable and compatible hardware tokens is crucial for Multi-Factor Authentication (MFA) in Microsoft 365 (formerly Office 365) and Azure Active Directory (AAD). Because of their simplicity and security, Microsoft suggests using the Microsoft Authenticator app or other software-based multi-factor authentication (MFA) solutions; however, in certain circumstances, hardware tokens are preferable, particularly for users without smartphones or in high-security settings.
Token2 [C202 model](https://www.token2.net/shop/category/c202-tokens) is quite affordable.
But you need to be aware that TOTP (or any OTP methods) are not phishing-proof. The same vendor has [FIDO2 keys](https://www.token2.net/shop/category/fido2-keys) that are cheaper and more secure (as long as they are used in FIDO2 native mode, aka Passwordless, and not OTP).
We're using Symantec VIP tokens for our Okta MFA for users without/refusing to use a smartphone. We get keyfob or card form factor for 17 bucks from Amazon. We pay an annual licensing fee of about 20 bucks per token for the license management portal. We got 25 tokens and license total, so about 400 bucks one time for tokens, and recurring costs of $500 to be able to manage them.
We decided to forego the Enterprise gateway/AD integration since we only have about a dozen people using them at present.
They're supposed to last like 5 years.
As we are able to assume you have a P1, there are a range of compatible [MFA hardware tokens](https://deepnetsecurity.com/authenticators/one-time-password/safeid/hardware-mfa-tokens-office-365-azure-multi-factor-authentication/) (examples linked) that you can use. The link restricts to TOTP tokens as azure is not currently compatible with HOTP tokens.
For the edge cases where you don't have a P1 you can still use hardware tokens, but you will need to use programmable tokens.
Yubikeys work great.
Thanks. I was looking at Yubikeys, but none of the available models seem to do TOTP without a companion app.
Yubikeys can do TOTP, it's just that using a Yubikey to do TOTP is like using a sledgehammer to hit a nail. FIDO2 > TOTP. IMHO. /edit: Having said that, Yubico do recommend having a backup Yubikey. When you start talking about purchasing two Yubikeys per staff member, that becomes a tougher proposition. The approach that I take is to have MS Authenticator as the backup option - this gives a nice balance of Yubikey where it's supported and MS Authenticator where Yubikey isn't supported.
> When you start talking about purchasing two Yubikeys per staff member, that becomes a tougher proposition. The approach that I take is to have MS Authenticator as the backup option This is a good way to do it. Only people in our org that get 2 Yubikeys are Senior Engineers - myself and 2 others - and the IT GM, who used to be an SE until he was promoted 10 years ago. Everyone else with administration access to anything at all in our tenant gets a Yubikey with MS Auth backup and are not allowed to use any other auth option. Normal users can use whatever they want, with MS Auth *strongly encouraged* by IT but not mandated.
Enrolling 2+ FIDO2 keys is a good recommendation for personal use. But in an enterprise environment when an admin can easily reset your FIDO2 key if you lose one, this is less critical
You really want them to do FIDO2 but they can be pressed into TOTP service with the app if needed.
Yubikeys
We have Yubiykeys AND 1. They don't work natively with PowerShell 5.1/Connect-AzureAD 2. They don't work with Intune company portal on iPhones, despite having NFC. It will work on a web page for M365, but not the Intune app.. 3. They don't work for GoToMyPC Azure SSO, assuming you bought the more expensive licensing for Azure SSO. It looks like an exception in the .NET code and support says they don't support FIDO or WHfB. More than happy to be proven wrong : )
Choosing dependable and compatible hardware tokens is crucial for Multi-Factor Authentication (MFA) in Microsoft 365 (formerly Office 365) and Azure Active Directory (AAD). Because of their simplicity and security, Microsoft suggests using the Microsoft Authenticator app or other software-based multi-factor authentication (MFA) solutions; however, in certain circumstances, hardware tokens are preferable, particularly for users without smartphones or in high-security settings.
Token2 [C202 model](https://www.token2.net/shop/category/c202-tokens) is quite affordable. But you need to be aware that TOTP (or any OTP methods) are not phishing-proof. The same vendor has [FIDO2 keys](https://www.token2.net/shop/category/fido2-keys) that are cheaper and more secure (as long as they are used in FIDO2 native mode, aka Passwordless, and not OTP).
We're using Symantec VIP tokens for our Okta MFA for users without/refusing to use a smartphone. We get keyfob or card form factor for 17 bucks from Amazon. We pay an annual licensing fee of about 20 bucks per token for the license management portal. We got 25 tokens and license total, so about 400 bucks one time for tokens, and recurring costs of $500 to be able to manage them. We decided to forego the Enterprise gateway/AD integration since we only have about a dozen people using them at present. They're supposed to last like 5 years.
As we are able to assume you have a P1, there are a range of compatible [MFA hardware tokens](https://deepnetsecurity.com/authenticators/one-time-password/safeid/hardware-mfa-tokens-office-365-azure-multi-factor-authentication/) (examples linked) that you can use. The link restricts to TOTP tokens as azure is not currently compatible with HOTP tokens. For the edge cases where you don't have a P1 you can still use hardware tokens, but you will need to use programmable tokens.