Assuming you use Microsoft Entra ("Azure Active Directory" as was), get your employer to enable the "preview" support for Security Keys. Why is it off by default? Well it's actually secure, and it would never do to provide a feature out of the box that actually works without lots of fiddling about, this is Microsoft, the consultant's friend.

These seem to be relatively current instructions: https://learn.microsoft.com/en-us/entra/identity/authenticat...

Having found a friendly sysadmin to do this, ask them to specifically not "Enforce key restrictions" which is theory could let your empoloyer require employees to use a specific issued authenticator credential - are they going to buy every employee an authenticator from a named brand? No? Then this must not be switched on, easy.

Once this feature is enabled for you (you may be able to get them to switch it on for the whole org, or maybe for IT or whatever department you work in) you should be able to enrol a new Security Key the same way you'd add other MFA.

So why go to all this bother? Because you can buy a Security Key that works how you want, a physical piece of hardware you own and can re-use - if you buy say the Yubico Security Key 2 in USB A, that goes in your USB A port on the laptop or dock and it just stays there. Its job is to be "Something you have" and the "Something you know" will be a PIN of your choosing (it literally doesn't leave your device, so corporate can't decide it should be the Password Game on steroids)

No need for a phone or other unrelated device, no opening fiddly apps, no transcribing codes, you type your PIN and touch the sensor. If a PIN is too much, some pricier options take fingerprints, so then you just touch the sensor (with the correct finger)

> goes in your USB A port on the laptop or dock and it just stays there

If it's always there, then why isn't it just a file on the disk? Why should I need to buy a new piece of hardware and permanently sacrifice one of my USB ports. Client certs have been the "something you own" for decades and the main problem with them was that using them didn't involve any JavaScript, which is blasphemy in modern web dev and so they were killed (with the help of EU bureaucrats). And now that basically every computer has a TPM, you can even satisfy the "not extractable" requirement, which was the only actual advantage of a yubikey.

> why isn't it just a file on the disk?

Because if done properly it can't be trivially cloned.

That's what passkeys are.

Or enable the option to use any standard TOTP authenticator.

Security keys don't work with android phones when you want to logon to m365 email. This is a showstopper for a lot of people.

I moved the usb-c yubikey in my laptop to my Android phone and was able to login to my m365 calendar/mail/teams there, so it does work, as long as IT supports it.

Thank you.