1

Hello All,

So, our company has been looking to push for wide-spread Two-Factor Authentication for awhile, But, we’ve been hesitant with some of the ways we operate (some being old school techniques), and we wanted to properly implement it with a plan. However, that is now not the case and we’re basically having to do this on a much quicker time table.

So, our main concern is how, as IT, can we continue setting up computers while not having access to user accounts. We can not do a, ‘ship you the laptop, turn it on, and you get going’. We tend to set up new PC’s while the user is using their current PC. But, not having access to that account, seems problematic. We use an image for the new devices, but it is only the C:\ drive, not user account until we add it.

Also, we are looking at a proper 2FA method. We have a hybrid of desktops and laptops, so we can’t rely solely on cameras or fingerprint readers. We are looking at fobs or cards (also some thumbprint dongles). Does anyone have any suggestion of what is out there that they are using and works great? Microsoft just says authenticator app, but we can NOT (under any circumstance) ask our employees to use their personal device for work purposes. As well, not all employees have phones at their desk for a call from an authenticator (like Apple does).

Before falling into a well on Reddit, someone mentioned Auto Pilot with Windows, so I’m going to look into that. But, just looking for some general help and suggestions on the topic.

Thanks in advance! :slight_smile:

10 Spice ups
2

We are in the same boat, and I also need to push 2FA for the users. For the 2FA, I have been researching Yubikeys, because we also will not be requiring our employees to install company software on their personal devices. I have also been using Action1, and plan to use that to push installs to the devices. I have a GPO set up to install the Action1 agent, so that install happens automatically when the computer is connected to the domain.

I am sure that there are others that have more experience with this, but since your situation sounded a lot like what I’m seeing I wanted to chime in. I hope this helps!

5 Spice ups
3

This may be your choice not to ask this of your users, but 99% of users are happy to do so if it means less disruption and being able to work remotely.

As far as your issue of setting up a laptop to send out, you can mitigate much of this with tools like autopilot (to do the build on their home network), company portal to allow them to download the apps they want, while you force others as mandatory), OneDrive and SPO for personal files and company data. Edge for syncing user favourites to Azure.

You wouldn’t need much in the way of access as IT this way.

Your hardest part, assuming you don’t offer MFA to users on their personal devices, is cost of the tokens and getting them to the users.

TL:DR, Autopliot, company portal, OD and SPO can automate 95% of the setup for the user, the other thing to consider is if these Azure joined devices need to access on-prem systems, then you also need a VPN.

4 Spice ups
4

It would be the sensible answer, and the user wouldn’t mind. The problem is we can’t suggest it, offer it, speak of it…It’s a whole thing from the higher ups…

Most of our mobile users have company provided cell phones, it’s the in-office people (specifically those without phones) that are the issue.

I’ve looked at Autopilot and with my 5 minutes of knowledge on it, it appears to be the same as our Apple Business Manager and MDM combo we use with our company iPhones and iPads.

I’m sure there’s more to it… :grinning_face_with_smiling_eyes:

2 Spice ups
5

Background info required - are the PCs domain joined or just local accounts? or AAD/Entra joined?

What do you need MFA for as there are different options that suit different services/accounts.

Do you really need MFA for logging on the PC? If so and you cannot use their personal phones you will need to buy and supply 2factor tokens (think RSA style code fobs).
You will also need a third party integration with the OS for this.
It is rare - usually MFA is for services such as vpn, email, m365, apps etc.
Logging on a PC should only give limited access to data on the device (access to cloud services can be revoked etc).

you can use free password storage apps for free MFA if you just need it for hosted services like M365, google etc and apps. Keepass is one that supports various MFA standards such as OTP.

You should not need to login as the user - this should be avoided as it invalidates any role based access and audit trail in place. In a very small environment it can be too complex to automate setup, in these cases it should be recorded that IT are logging in as user - user should be logged out, password changed and then the work undertaken (mfa can be disabled). This way there is a clear audit trail it was IT and not the user.

4 Spice ups
6

Our PC’s are domain joined.

Our cybersecurity insurance is requiring MFA implementation. It seems their concerns are with access to the PC’s in general. The big hiccup is when they our non-mobile users are working from home. They use their personal computer to VPN into their work desktops. And, again, users with computers but no desk phones.

We’re looking through Microsoft with Autopilot and that, but it like you need Intune for Autopilot and you need Entra ID licensing for Intune… but Microsoft Licensing is so…annoying to put it nicely.

I see what you mean with logging in as IT and not the user. Temporarily disabling would work for our side of it, assuming it wasn’t a hassle re-enabling it and the user would have to start from scratch picking a method.

We just need to find a good token/fob. .

1 Spice up
7

I agree with this, to put it in more perspective, what are your higher ups more concerned about, an open conversation with Employees explaining that this is needed for security, or just out of the gate spend money on every user? Yubi-Keys are about $73 minimum so is it going to be 10 users and $700 or 100 and $7K, are they happy to take this out their bonuses as it’s their decision to see how employees feel about installing an app that in most cases they either have installed already or could really benefit from for personal reasons?

You will find that whilst what @Rod-IT said is true that 99% of employees will be happy to do it and that 1% will probably refuse. This is just based on the current employees, new hires that come after the change will see this as the practice every new starter has to do and you won’t find any complaints there.

2 Spice ups
8

If we do not implement MFA, our insurance premium will be much higher. The higher ups are more willing to bear that cost, than entertain the idea of asking employees to use personal devices for work purposes. I have been told it isn’t an option on the table and to mention it would be “a huge mistake”.

Hence our predicament. If we had that option, life would be SO MUCH SIMPLER!! Use Microsoft authenticator app, good to go. But… the mere suggestion of such a thing is taboo.

I was looking at Yubi-Keys and they are expensive, but it appears the money is there to spend…i assume. If the cost of implementing MFA is too high, they’ll more than likely pay the higher premium.

Regardless of all that, we are still trying to implement MFA, it’s just now we’re under a time crunch and trying to find the best method with fobs/tokens, WIndows Hello, or fingerprint USB readers. And trying to figure out Microsoft Licensing… I feel like that a job in its own! It’s like a rabbit hole, and I can’t get a license for this ONE thing I want to do, so I have to spend a bunch of money on a license that does 25 things with 24 that I don’t have the time to figure out and use.

This is a conundrum… :frowning:

1 Spice up
9

Just to add onto the costs, it’s not just the cost of the premium if you go down that route, its the cost of when something happens and the severity of that whether it is a spam email fired out or complete fallout of the business as MFA hasn’t been implemented. There is also all this time you are putting in right now figuring this out.

I know it may be a wasted point, but just want to give you an extra bullet if the conversation comes up with them. Microsoft Authenticator is not your business’ app, its a Microsoft App, and adding a Work account into that app doesn’t put any corporate data onto the users device. You may find that some already have it installed as users should be using services such as this to protect their personal accounts.

3 Spice ups
10

I find Yubikeys are great for admins or superadmin accounts but historically kinda crappy for end-users.

You’ll end up supporting folks who lose their hardware tokens all the time.
Or leave them at the house.
Or left them in their spouses car, etc, etc, etc

Just something to keep in mind - your ongoing support costs for giving everyone a physical hardware token vs. using any auth app will be higher, IMO.

7 Spice ups
11

“If we do not implement MFA, our insurance premium will be much higher.” This is precisely why, in the smaller organization I worked we decided against purchasing cyber insurance. Beyond the MFA requirement there were so many ‘requirements’ that either did not apply or were so far from our offerings (being a public library) that it just wasn’t worth the cost. We also figured that the hurdles were way to high that getting an insurance to pay out for an incident was going to be nearly nil. I think the problem with cyber insurance, and this is my perspective based on my limited experience investigating it, is that the insurance companies take an all or none approach to it. There didn’t seem to be much tailoring to our specific industry that would make it more affordable, or easier to meet the requirements.

That said, we did implement 2FA for all managers and supervisors and strongly suggested to staff that they should use it too (both at work and home). Instead of enforcing 2FA, we spent more time training staff on why they should adopt it on their own, good password hygiene, phishing attacks, and how to think before you click.

We had a lot of staff pushback against having to use personal devices for work related functions. Couple that with the few staff who did not have smart phones, or who are prone to losing issued items (like door access badges) and you are just setting yourself for a level of failure in compliance.

Passkeys solve the password authentication issue, which in turn also eliminates the MFA requirement. I don’t know if that is an option for you or not though in your environment.

3 Spice ups
12

We’ve rolled out passkeys fully internally in our org and it’s honestly a great user experience from my perspective.

2 Spice ups
13

We use a combination of CISCO Duo (syncs with AD) and YubiKey. I give my users the option of using a phone and or the fob.

2 Spice ups
14

Rolling out 2FA across a mixed environment with legacy workflows is a headache, especially when you can’t depend on personal devices for authenticators.

We’re in a similar boat, and a couple of things helped us. First, on the provisioning side, take a look at Windows Autopilot combined with some zero-touch deployment strategies. You can pre-provision the image, then use enrollment status pages to control what gets applied before the user signs in. It’s not perfect, but better than shipping a raw box and hoping for the best.

For 2FA, we had to avoid personal phones too, so we leaned into hardware-based options like YubiKeys and smart cards. If you’re already imaging devices internally, having a few spare keys to rotate through setup can help bridge the gap when you don’t yet have user access.

Also, not sure if this is useful for your case, but we’ve been experimenting with API-based entropy services like QSE for secure provisioning keys and temporary access tokens. It’s more of a behind-the-scenes security layer, but it’s helped us create stronger trust chains without having to rely on the user’s device early in the setup process.

3 Spice ups
15

The challenge I have is that the users are not computer savvy. Often when I perform a software upgrade, I’ll log in for the user so that their username appears when they log in. We also perform some maintenance routines that do a better job if logged into the actual client and not as an admin user.
Today, I have secured logs of the user’s passwords so we have no issues logging in as them. Once 2fa is enacted, that option will be lost.

2 Spice ups
16

This is exactly our scenario! Some troubleshooting, replication, or updates are better done logged in as the user.

Someone above mentioned temporarily disabling MFA to do that, but I just have to iron out what re-enabling looks like.

Our biggest issue is with the people who don’t normally work from home. They use personal computers to log in to the VPN and access their work computer. Without them using their personal device, we’re stuck with a hardware token. I think that’s just where we’re at… Just finding a good brand that will work with Microsoft. Yubikeys seems to be the popular choice, although they are a bit expensive.

LegBone mentioned Cisco Duo, We looked into this before. I’ve been TRYING SO HARD TO REMEMBER THE NAME!! We did a demo and the licensing cost, plus the hardware token cost (including a surplus because users WILL lose them) was outrageous! Mind you, this was like 2-3 years ago…

It seems the consensus is Yubikeys are what works.

1 Spice up
17

Why would a web-based authenticator not be a solution for your 2FA issue?
The users can access it from their work computers even when they are working at home, and there’s no need for personal devices.
Not looking to toot my own horn here at all, but at 2Faktor.io that is exactly what we offer.

2 Spice ups
18

Since you’re talking all Domain devices - you could leverage Windows Hello at the domain level for no additional costs there. As for your 2nd factor, you most likely could leverage some variation of any/all the suggestion options (I actually think you could leverage either internal or external cameras for facial recognition or fingerprint readers as well) relatively inexpensively. As I recall either of those options would run you less than $40 each when you have to purchase, and some devices may already have suitable hardware present.

Windows Hello is also the ideal solution if the desire is for 2FA at device login since that will secure the login at the hardware level, and neither those two options above nor hardware token keys would be able to authenticate locally.

3 Spice ups
19

This shouldn’t be allowed, this is a bigger risk than MFA, allowing non-managed endpoints to connect to your network.

A VPN puts a user device on your network, if they have been infected, you have no control over stopping this outside of disconnecting their VPN session, which they can re-enable.

The irony.

They wont ask them to use their personal mobile for an MFA solution, but happy to let them use their home PCs to connect to work. I’d bet your cyber insurance company would think twice if they knew this was happening, this is a large red flag.

Perhaps the first step in all of this, would be to sit down with them and talk about the bigger picture, not just MFA to satisfy todays criteria, but the future too.

4 Spice ups
20

I wouldn’t worry about ptice.

If anything, they’re likely more expensive now, now that this is becoming the normal, they can add premiums on because they know people want them.

Hence, Microsoft Authenticator being a suggestion, if only for end users, where YubiKeys etc are for admin level protected users.

2 Spice ups