It seems there are two options when it comes to passwords: 1) SSO 2) DIY with a password manager and 2FA ideally with a security key.
SSO is too pricey ($1500 base @ Okta) at the moment and SAAS prices are ever increasing so that leaves us with option 2. Using an authenticator app means using personal phones, which is tricky, and if someone were to lose their phone the replacement cost would be high. So a security key seems better in that regard despite their upfront cost. Plus security keys like yubikey offer the ability to store TOTPs, which is necessary since not all the apps we use provide security keys as a 2FA option.
Did I arrive at the right conclusion on 2FA with security keys or did I miss something?
The other consideration is deployment. Without interrupting workflow, I figured the best way would be to set up all the keys (backup key as well for each employee) on a Friday after work and then 2-day ship them to our remote staff so they’re ready for use when they return to work on Monday. It’s possible we could also do it while they’re on a week-long vacation to save on shipping costs.
The replacement cost for user devices isn’t high, for you it’s zero. At most it’s your time helping them reprovision the token. Or to the cost of a temporary other token, which you could keep stocked.
I set up MFA some years ago with yubikeys and authlite to protect AD, it wasn’t that expensive. We also did 365 auth to the Microsoft app on personal phones. We didn’t have any complaints there, but if we did we would have issued a token or something.
Assuming employees don’t leave or expense use of personal devices. I have expensed my burner phone due to 2factor overuse by an employer.
Assuming they replace their own phone you mean? There’s also productivity loss that we’d like to avoid. Temporary token stocked in what way?
I’m not familiar with AD so I’ll have to do some more research into it.
It depends on what you’re protecting and how. The token might be a yubikey or RSA token, for example. Whatever is supported by your MFA product. It could even be an old loaner cell phone with no cell service if the only method is an app.