It seems there are two options when it comes to passwords: 1) SSO 2) DIY with a password manager and 2FA ideally with a security key.

SSO is too pricey ($1500 base @ Okta) at the moment and SAAS prices are ever increasing so that leaves us with option 2. Using an authenticator app means using personal phones, which is tricky, and if someone were to lose their phone the replacement cost would be high. So a security key seems better in that regard despite their upfront cost. Plus security keys like yubikey offer the ability to store TOTPs, which is necessary since not all the apps we use provide security keys as a 2FA option.

Did I arrive at the right conclusion on 2FA with security keys or did I miss something?

The other consideration is deployment. Without interrupting workflow, I figured the best way would be to set up all the keys (backup key as well for each employee) on a Friday after work and then 2-day ship them to our remote staff so they’re ready for use when they return to work on Monday. It’s possible we could also do it while they’re on a week-long vacation to save on shipping costs.

  • ramble81
    link
    fedilink
    English
    arrow-up
    10
    ·
    7 months ago

    If you have M365 licenses (forget which level), Entra ID supports OIDC and SAML and you can use its MFA functions. Something to keep in mind if you don’t want to spend money on Okta

    • Godort
      link
      fedilink
      English
      arrow-up
      3
      ·
      7 months ago

      I also recommend this. EntraID is pretty handy and it was a fairly painless experience to get everyone using the Microsoft authenticator app on their phone for MFA. SSO via a registered app in Azure is just an added bonus.

      Our typical user reaction is something like “Oh, like my banking app?” when we enroll them in MFA