Enterprise policies are different, and in some cases weird. In this article, we will describe a very unusual problem raised by one of our customers. In a nutshell, the organization does not allow bringing any devices onsite, no smartphones, no mobile phones, and even no hardware tokens are allowed on-premises. At the same time, the organization is using Office 365 services from Microsoft and has enforced multi-factor authentication for all users to be activated.
To address this issue, our research and development team has spent some time and found a solution, which is a paper-based TOTP token. We are hereby presenting the solution, which is available for free (well, if you don't count the paper and ink cost).
Our solution is a web-based tool that generates the list of one-time passwords (OTPs) for an arbitrary seed. The list can be printed out and handed over to the end-users to serve as their second factor for authenticating in Azure AD with multi-factor authentication enabled. To associate this paper TOTP token with a user, you can follow the same procedure as with the regular TOTP tokens.
The procedure is simple, you enter the seed and click on submit to get the list generated. You will get a printable list similar to the one shown below for the next few days. By changing the number of future OTPs you can make the list longer or shorter.