The last thing I want is to have to cart around, keep charged, and generally take care of a second electronic device. Been there, done that, far too much hassle.
I'd be more than happy to use an app on my own phone as long as it doesn't drain the battery significantly, doesn't intrude when I'm not at work, and doesn't use noticeable amounts of data.
E.g. Google Authenticator. Or a text message. Or the Microsoft Authenticator app. I might be tempted by a Yubikey, but I can see that across a large organisation the rate of loss would be significant.
The beauty of allowing staff to use their own phones for MFA/OTP is that they tend to always have them with them, they're always charged, they know how to unlock them, and they tend to take a lot more care of them than a company device.
I'm speaking as somebody who tried a corporate phone and found it a massive pain, and as one of the people whove been managing the devices.
What is a shame is that Active Directory and Windows doesn't have some kind of MFA/OTP built in from years ago. I've yet to find a solution that I like the look of that works when the endpoint is offline and that is affordable.
Way back in the mid 90s I had skeys (one time passwords) for remote access to Solaris systems.
I doubt Microsoft will be changing their current plan of attack though, i.e. Windows Hello. Although they've got umpteen options for various other things these days, so maybe a simple pluggable authentication module to support a 6 digit code type of OTP will appear. Surely it can't be that difficult?
Biting the hand that feeds IT
